Re: Phishing (Was Re: WashingtonPost computer security stories)

[Henry Linneweh <hrlinneweh () sbcglobal net>]

How strange, I received that in my email too..

-Henry


--- Niels Bakker <niels=nanog () bakker net> wrote:

> Speaking of computers fubar'ed by spyware, I just
> found a particularly
> nice example of a phishing attempt.  SpamAssassin
> had tagged it with the
> astronomical score of 136.3 thanks to SARE.
>
> The mail originated from 68.77.56.130 (an
> ameritech.net DSL connection,
> right now not pingable) and loads some images from
> www.citibank.com.
> It links to http://61.128.198.51/Confirm/ - an IP
> address hosted by
> Chinanet (transit to there supplied by Savvis from
> my point of view).
>
> That page does something interesting: it meta
> refreshes itself to
> Citibank's corporate homepage but also pops up a
> window
> (/Confirm/pop.php) requesting the user's card#, PIN
> (twice) and a
> new PIN.  The main page being citibank probably
> lends some credibility
> to the scam.
>
> This attack won't work if your browser blocks
> popups, or if you remember
> that the padlock icon in the status bar is what
> tells you the status of
> a connection, not a "128-bit SSL" or "Verisign
> trust-e" or whatever logo
> inside the webpage.
>
> It's disheartening to see that this website is still
> online after
> several days (I received the scam mail received
> Friday morning).
>
> I'm thinking that Citibank will cease to be a target
> if they give (ok,
> it's a bank - sell) their subscribers a hardware
> token that requires
> presence of the ATM card when the customer wants to
> use online banking
> facilities... as several banks here in the
> Netherlands do.
>
>
>       -- Niels.