Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Huge amounts of Citipank phishing spam seen this weekend.
From: Feher Tamas <etomcat () freemail hu>
Date: Mon, 5 Jul 2004 13:15:30 +0200 (CEST)

Return-Path: <safe () citibank com>
Delivered-To: xy () z com
Received: (qmail 26637 invoked by alias); 5 Jul 2004
10:22:42 -0000
Delivered-To: xy () z com
Received: (qmail 26625 invoked from network); 5 Jul 2004
10:22:42 -0000
Received: from unknown (HELO xxxxx) (192.168.xxx.xxx)
  by xxxxx.xxxxx.com with SMTP; 5 Jul 2004 10:22:42 -0000
Received: from [192.168.xxx.xxx]:3815 (EHLO xxxxxxx)
 by xxxxxx ([192.168.xxx.xxx]:25) (censored) with SMTP; Mon,
5 Jul 2004 10:22:39 -0000
Received: from avenirdev.net2.nerim.net
(avenirdev.net2.nerim.net []) by xxxxxxxx
(8.12.9/8.12.9) with SMTP id i65AMbvX009990;
Mon, 5 Jul 2004 12:22:38 +0200
X-Message-Info: EUZieVCD797cazJifePDLup79PXxd1+Jmeve090esDKB
Received: from bvoadkrq795.yahoo.com ([]) by
cv840-ena634.yahoo.com with Microsoft SMTPSVC(5.0.2195.6824);
Mon, 05 Jul 2004 14:02:44 +0300
Received: from Byronz447z00uvb7j ([]) by
mxbj13.yahoo.com (InterMail vM.
105-294-922-056-415-584970568) with SMTP id
<5635443945.NANBL433.zsvlyce336.yahoo.com () bootleggedve0rum66afa40fp>
for <xy () z com>; Mon, 05 Jul 2004 06:04:44 -0500
<179zi495neg7525$29816$x937hcd073 () Byronsmb495qc15mza67qrv>
From: "Support" <safe () citibank com>
To: <xy () z com>
Subject: Urgent Update: CitiSafe by Citibank
Date: Mon, 05 Jul 2004 17:02:44 +0600
MIME-Version: 1.0
Content-Type: multipart/alternative;
X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on xxxxx
X-Spam-Level: **
X-Spam-Status: No, hits=2.0 required=4.5
        NORMAL_HTTP_TO_IP autolearn=no version=2.63

Content-Type: text/html;
Content-Transfer-Encoding: quoted-printable

<title>Untitled Document</title>
<meta http-equiv=3D"Content-Type" content=3D"text/html;

<body bgcolor=3D"#FFFFFF" text=3D"#000000">
<b>Dear Citibank Customer</b>, 
<p> We recently noticed one or more attempts to log in to
your Citibank<br=

  account from a foreign IP address and we have reasons to
believe that<br=

  there was attempts to compromise it with brute forcing
your PIN number.<=
  No successful login was detected and you have full
protection by now. <b=
  If you recently accessed your account while travelling,
the unusual logi=
  attempts may have been initiated by you.</p>
<p><i>The login attempt was made from:<br>
  IP address:<br>
  ISP Host: cache-89.proxyserver.cis.com</i></p>
<p> By now, we used many techniques to verify the accuracy
of the<br>
  information our users provide us when they register on the
  However, because user verification on the Internet is
difficult, Citiban=
  cannot and does not confirm each user's purported
identity. Thus, we<br>=

  have established an offline verification system to help
you evaluate wit
  whom you are dealing with. The system is called CitiSafe
and it's<br>
  the most secure Citibank wallet so far.</p>
<p> If you are the rightful holder of the account, click the
link bellow, =
  the form and then submit as we will verify your identity
and register yo=
  to CitiSafe free of charge. This way you are fully
protected from fraudu=
  activity on all the accounts that you have with us.</p>
<p> <u><b><a
 to protect 
  yourself from fraudulent activity!</a></b></u></p>
<p> To make Citibank.com the most secure site, every user
will be <br>
  registered to CitiSafe.</p>
<p> <u>NOTE! If you choose to ignore our request, you leave
us no choice b=
ut to<br>
  temporally suspend your account.</u></p>
<p> * <u>Please do not respond to this e-mail, as your reply
will not be r=
<p>Regards, <b>Citibank Customer Support</b><br>


Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]