mailing list archives
RE: Another false Citibank e-mail...a new phishing?
From: "Bill Royds" <full-disclosure () royds net>
Date: Sat, 20 Mar 2004 15:03:16 -0500
Phishing mails don't have any need to use the %01 exploit if they can get
gullible people to click on a link in an email message that just has a plain
IP address as this one does.
That IP address has reverse lookup to
which has whois information
#203, Shinhan bldg, 902-55
Domain Name: KRLINE.NET
Administrative Contact, Technical Contact:
KrLine Internet Service Inc. (DM3184-ORG) domain () KRLINE NET
#203, Shinhan bldg, 802-55
82-2-3461-3282 fax: 82-2-572-3471
Record expires on 01-Oct-2006.
Record created on 01-Oct-1999.
Database last updated on 20-Mar-2004 14:59:12 EST.
Domain servers in listed order:
Why do you think Citibank would use an ISP in Korea to check accounts? It is
an obvious phishing expedition.
The only thing new is that is using SSL for the connection to the scamp web
site to allow people to feel that it is somehow secure.
From: full-disclosure-admin () lists netsys com
[mailto:full-disclosure-admin () lists netsys com] On Behalf Of Elia Florio
Sent: March 20, 2004 2:24 PM
To: full-disclosure () lists netsys com
Subject: [Full-disclosure] Another false Citibank e-mail...a new phishing?
I receveid this bad-spoofed-Citibank e-mail,
which points to a PHP page which ask
for credit card number..........and stole it!!!
Is it the next phishing e-mail ?
The link points to http://220.127.116.11:443/citi/
It does not use "%01" exploit to show a spoofed-URL in the Explorer bar.
Full-Disclosure - We believe in it.