Home page logo

fulldisclosure logo Full Disclosure mailing list archives

RE: Another false Citibank e-mail...a new phishing?
From: "Bill Royds" <full-disclosure () royds net>
Date: Sat, 20 Mar 2004 15:03:16 -0500

Phishing mails don't have any need to use the %01 exploit if they can get
gullible people to click on a link in an email message that just has a plain
IP address as this one does.
That IP address has reverse lookup to
which has whois information
   #203, Shinhan bldg, 902-55
   Togok-dong, Kangnamgu
   Seoul 135-270

   Domain Name: KRLINE.NET

   Administrative Contact, Technical Contact:
      KrLine Internet Service Inc.  (DM3184-ORG)  domain () KRLINE NET
      #203, Shinhan bldg, 802-55
      Seoul, Seoul
      82-2-3461-3282 fax: 82-2-572-3471

   Record expires on 01-Oct-2006.
   Record created on 01-Oct-1999.
   Database last updated on 20-Mar-2004 14:59:12 EST.

   Domain servers in listed order:


Why do you think Citibank would use an ISP in Korea to check accounts? It is
an obvious phishing expedition.
The only thing new is that is using SSL for the connection to the scamp web
site to allow people to feel that it is somehow secure.

-----Original Message-----
From: full-disclosure-admin () lists netsys com
[mailto:full-disclosure-admin () lists netsys com] On Behalf Of Elia Florio
Sent: March 20, 2004 2:24 PM
To: full-disclosure () lists netsys com
Subject: [Full-disclosure] Another false Citibank e-mail...a new phishing?

I receveid this bad-spoofed-Citibank e-mail,
which points to a PHP page which ask 
for credit card number..........and stole it!!!
Is it the next phishing e-mail ? 

The link points to

It does not use "%01" exploit to show a spoofed-URL in the Explorer bar.


Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]