1. Technology
You can opt-out at any time. Please refer to our privacy policy for contact information.

Citibank phishing email


Updated March 28, 2004
Criminals exploiting a flaw Internet Explorer can easily dupe unsuspecting users into believing they are on one website when in fact they are on another. The exploit involves inserting the hex 0x01 between the legitimate site's address and the actual hosting address. This causes the legitimate website address to appear in the address bar, but the actual site being displayed is that of the criminal.

The flaw makes it easier for criminals involved in phishing - an email scam designed to defraud customers of their credit card numbers and other personal information that can then be used for identity theft. Typically, the email message employs some kind of scare tactic designed to entice users into visiting a site and divulging their critical financial and personal details.

On January 10, 2004, a Citibank phishing email began making the rounds, warning Citibank customers of possible fraud affecting their accounts and urging them to login to check the status. Though email link takes the recipient to a website address that displays www.citibank.com in the browser address bar, in reality, the site is and records show it is hosted by Chang Hyo-Sun of Enterprise Networks in North Korea.

That fraudulent email is received as follows (italics are for emphasis only and are not included in the original email:

    Subject: Important Fraud Alert from Citibank

    Body: Dear Citibank Account Holder,

    On January 10th 2004 Citibank had to block some accounts in our system connected with money laundering, credit card fraud, terrorism and check fraud activity. The information in regards to those accounts has been passed to our correspondent banks, local, federal and international authorities.

    Due to our extensive database operations some accounts may have been changed. We are asking our customers to check their checking and savings accounts if they are active or if their current balance is correct.

    Citibank notifies all it's customers in cases of high fraud or criminal activity and asks you to check your account's balances. If you suspect or have found any fraud activity on your account please let us know by logging in at the link below.

The email then contains a button that reads "Click Here To Login". Clicking the button appears to take the recipient to the web address www.citibank.com which instead is a criminal North Korean site.

Microsoft released a patch in February 2004 to prevent this particular version of the exploit from occuring and at least one antivirus vendor, Trend Micro, has added detection for the fraudulent email. Trend Micro's products, including PC-cillin Internet Security 2004 (see review), will detect this particular email as HTML_CITIFRAUD.A.

However, it is still possible, through the use of full screen pop-ups and special scripts, to obfuscate the real URL and make it appear as if another site's URL is the web address and phishing is apparently a lucrative business for these criminals. As soon as one phishing site is shutdown, another appears and a new email begans circulating.

Next page: Other Citibank phishing email

  1. About.com
  2. Technology
  3. Antivirus Software
  4. Phishing & Online Scams
  5. Citibank phishing email

©2014 About.com. All rights reserved.