Joe Wein
Fighting spam and scams
on the Internet

Home / Blog / About us
Spam
419/Nigeria
Online fraud
jwSpamSpy
Contact

Email Spam Filter:
jwSpamSpy
Try it for free!

Google
 

Phishing for your wallet: Suspicious mails involving Citibank, eBay, PayPal, etc.

What is 'phishing'?
As more people use computers for handling financial transactions, from online banking to purchasing or selling goods at eBay, fraudsters have started use cleverly disguised spam to harvest information that allows them to break into online accounts and steal money.

Mails that typically claim to be from Citibank, eBay, PayPal or other banks state that because of some problem the recipient needs to confirm his/her access codes or his/her account will be suspended. Other common tricks are fake payment disputes on eBay purchases, credit card or PayPal debit notices for goods not purchased questions from buyers of goods one is not selling. These surprising emails are supposed to trick people into acting rashly, without thinking.

Some of these emails look almost exactly like the real thing, complete with company logos, etc. Don't fall for it! Citibank, PayPal and other financial institutions never contact their customers supplying a link for re-entering their account numbers, passwords or PIN-codes. Though the links lead to websites that look like official company websites and in some cases even the browser displays a matching URL, these sites are in fact put up by fraudsters and are usually hosted on servers in China or on hacked computers. It is suspected that Russian organized crime groups are the main operators of this type of scam.

Closely related to the phishing scams are parcel remailing scams and "Money Agent" scams. The same gangs that run phishing scams to crack eBay / PayPal / online banking accounts then recruit job seekers using fraudulent job offers from fake companies. The employees are needed to receive and remail merchandise purchased using hacked eBay accounts and for forwarding money stolen from hacked accounts.

Both phishing and employment scams often involve botnets, networks of remote controlled computers running so-called "Trojan horse" software. The criminals controll tens of thousands of these "zombies" and use to send spam, to host fake websites and to attack other websites.

What you can do
Join
PhishTank to report phishing websites. This site relies on volunteers to submit phishing reports and to verify submitted reports. The data then feeds into OpenDNS, a system for web users from malicious sites. Feed a phish each day (if any get past your spamfilter!).

jwSpamSpy
Are you sick of spam too? Do you want it stopped now?
Try jwSpamSpy, the spamfilter we use to track the spammers!
Free 30-day trial version available now!

What you can do
If you receive such emails, either disregard them or forward them to the security departments of the institutions they claim to originate from. You can also forward the messages (with full headers!) to email address

postmaster at corp.mailsecurity.net.au
which feeds them into a database used for blocking spams.


Example of 'phishing' scam:
On July 2 I received the following message:

From: "Support" <cash@citibank.com>
To: <joewein@pobox.com>
Sent: Friday, 02 July, 2004 0:01
Subject: Please confirm your account details with Citibank!


Dear Customer,


This email was sent by the Citibank server to verify your E-mail
address. You must complete this process by clicking on the link
below and entering in the small window your Citibank Debit
Card number and PIN that you use on ATM.


This is done for your protection - because some of our members
no longer have access to their email addresses and we must
verify it.


To verify your E-mail address and access your bank account,
click on the link below:

https://wwww.citibank.com/signin/confirmation.jsp


---------------------------------------

Thank you for being our customer

---------------------------------------
The sender address looks like Citibank and the link appears to lead to Citibank's website. If you click on the link, you get a site that looks like a genuine Citibank website:

If you fill in totally bogus numbers and click submit, the site will accept them without complaint, as it does not verify them but only forwards them to the criminals...

If you look at message source code (Ctrl+F3 in Outlook Express), you will see that it was sent from a machine accessing via an Italian phone company and the website link actually goes to the URL http://219.148.127.67/scripts/confirmation.htm.

Return-path: <cash@citibank.com>
Envelope-to: joewein@pobox.com
Received: from host90-236.pool81117.interbusiness.it (host90-236.pool81117.interbusiness.it [81.117.236.90])
by kelvin.pobox.com (Postfix) with SMTP id C3D8A184DA9;
Thu, 1 Jul 2004 10:20:13 -0400 (EDT)
X-Message-Info: PVHpdpBRT386vYQ73DgUJ038RDhxWYP334B093EU54gvc2GW
Received: (from r63leaven@localhost)
by jz703-create931.yph51e.hotmail.com (6.42.66/9.40.36) id s797C55j51593;
Thu, 01 Jul 2004 17:06:30 +0200 GMT
X-Authentication-Warning: hvy27-bombast1.egf59ofb.hotmail.com: fs950decision set sender to cash@citibank.com using -u
MIME-Version: 1.0
Date: Thu, 01 Jul 2004 14:01:30 -0100
From: Support <cash@citibank.com>
Subject: Please confirm your account details with Citibank! To: joewein@pobox.com
Message-Id: <mk891lrr282-565696110917656-85715486442173513960083794653@fischbein26>
Content-Type: multipart/alternative; boundary="--63924826445955534931"

----63924826445955534931
Content-Type: text/html;
Content-Transfer-Encoding: quoted-printable

<P>Dear Customer,</P>
<P><BR>This email was sent by the Citibank server to verify your E-mail<BR=
>address. You must complete this process by clicking on the link<BR>below =
and entering in the small window your Citibank Debit<BR>Card number and PI=
N that you use on ATM.</P>
<P><BR>This is done for your protection - because some of our members<BR>n=
o longer have access to their email addresses and we must<BR>verify it.</P=
>
<P><BR>To verify your E-mail address and access your bank account,<BR>clic=
k on the link below:</P><A href=3D"http://219.148.127.67/scripts/confirmat=
ion.htm">https://wwww.citibank.com/signin/confirmation.jsp</A></A>
<P></P>
<P><BR>---------------------------------------</P>
<P>Thank you for being our customer</P>
<P>---------------------------------------</P>


----63924826445955534931--

'Phishing'-site hosted in China (China Telecom):
The actual scam website address (http://219.148.127.67/scripts/confirmation.htm) was still working two days after we received the spam email. The site is hosted by the following network:

     inetnum:      219.148.0.0 - 219.148.159.255
     netname:      CHINATELECOM-he
     descr:        CHINANET hebei province network
     descr:        China Telecom
     descr:        No.31,jingrong street
     descr:        Beijing 100032
     country:      CN
     admin-c:      CH93-AP
     tech-c:       BR3-AP
     mnt-by:       MAINT-CHINANET
     mnt-lower:    MAINT-CHINATELECOM-he
     changed:      hostmaster@ns.chinanet.cn.net 20030820
     status:       ALLOCATED NON-PORTABLE
     source:       APNIC
     
     person:       Chinanet Hostmaster
     address:      No.31 ,jingrong street,beijing
     address:      100032
     country:      CN
     phone:        10-66027112
     fax-no:       10-58501144
     e-mail:       hostmaster@ns.chinanet.cn.net
     e-mail:       anti-spam@ns.chinanet.cn.net
     nic-hdl:      CH93-AP
     mnt-by:       MAINT-CHINANET
     changed:      hostmaster@ns.chinanet.cn.net 20021016
     remarks:      hostmaster is not for spam complaint,please send spam 
                   complaint to anti-spam@ns.chinanet.cn.net
     source:       APNIC
     
     person:       Bin Ren
     nic-hdl:      BR3-AP
     e-mail:       renbin@mail.he.cn
     address:      10F Ximei Building NO.6 Jianshe South Street
     address:      Shijiazhuang 050011 China
     phone:        311-5211551
     fax-no:       311-5211578
     country:      CN
     changed:      renbin@mail.he.cn 20040430
     mnt-by:       MAINT-CHINATELECOM-HE
     source:       APNIC

When we checked on 2004-07-20, a total of 19 days after the initial email, the fraud website (http://219.148.127.67/scripts/confirmation.htm) was still active on the Chinanet server. It opens the real Citibank website, which shows a trustworthy-looking page with Citibank URL, but then pops up a window without URL line that runs a PHP script.


'Phishing' links:
How Not to Get Hooked by a ‘Phishing’ Scam
Anti-Phishing Working groups
eBay Security Center
spoof@ebay.com (eBay spoof reporting address)
Citibank: Citi ™ Cards – Security and You


Recent Phishing URLs:

http://www.goorzicht.nl/event/Logon.htm
http://www.podologen-motorradclub.de/forum/templates/subSilver/chase1/chase1/logon.htm
http://arcsaevea.com/nationwide/
http://www.bengaliguru.com/photo/albums/userpics/asp/USERS/Common/Login/NetLogin.htm
http://www.arsecandle.com/photos/albums/userpics/10008/cancel.php
http://kampfkunst-damo.de/onlineflie/wachoviabank/index.htm
http://www.russtrong.ru/modules/update.php/acc/index.htm
http://pistalibera.org/db/db/acct-update/nationwide/sing-on/index.html
http://www.global-ind.co.kr/tr.html
http://www.spotit.de/secure/WellsFargo/usernull.html
http://www.aafe.cn/img/Protect.html
http://nubbtech.com/stats/images/html2.gif
http://www.sicherheit-ist-illusion.de/network/probleme/.ultrabranch.alaskausa.org/login.htm
http://www.ssangyong.ms.kr/style/Security_Center.html
http://loveni.com/charges125.scr
http://www.ssangyong.ms.kr/bbs/a.html

jwSpamSpy
Are you sick of spam too? Do you want it stopped now?
Try jwSpamSpy, the spamfilter we use to track the spammers!
Free 30-day trial version available now!