The flaw makes it easier for criminals involved in phishing - an email scam designed to defraud customers of their credit card numbers and other personal information that can then be used for identity theft. Typically, the email message employs some kind of scare tactic designed to entice users into visiting a site and divulging their critical financial and personal details.
On January 10, 2004, a Citibank phishing email began making the rounds, warning Citibank customers of possible fraud affecting their accounts and urging them to login to check the status. Though email link takes the recipient to a website address that displays www.citibank.com in the browser address bar, in reality, the site is http://220.127.116.11/login/login.htm and records show it is hosted by Chang Hyo-Sun of Enterprise Networks in North Korea.
That fraudulent email is received as follows (italics are for emphasis only and are not included in the original email:
- Subject: Important Fraud Alert from Citibank
Body: Dear Citibank Account Holder,
On January 10th 2004 Citibank had to block some accounts in our system connected with money laundering, credit card fraud, terrorism and check fraud activity. The information in regards to those accounts has been passed to our correspondent banks, local, federal and international authorities.
Due to our extensive database operations some accounts may have been changed. We are asking our customers to check their checking and savings accounts if they are active or if their current balance is correct.
Citibank notifies all it's customers in cases of high fraud or criminal activity and asks you to check your account's balances. If you suspect or have found any fraud activity on your account please let us know by logging in at the link below.
The email then contains a button that reads "Click Here To Login". Clicking the button appears to take the recipient to the web address www.citibank.com which instead is a criminal North Korean site.
Microsoft released a patch in February 2004 to prevent this particular version of the exploit from occuring and at least one antivirus vendor, Trend Micro, has added detection for the fraudulent email. Trend Micro's products, including PC-cillin Internet Security 2004 (see review), will detect this particular email as HTML_CITIFRAUD.A.
However, it is still possible, through the use of full screen pop-ups and special scripts, to obfuscate the real URL and make it appear as if another site's URL is the web address and phishing is apparently a lucrative business for these criminals. As soon as one phishing site is shutdown, another appears and a new email begans circulating.
Next page: Other Citibank phishing email