Pacific Tides
My name is Thomas Sturm and I'm a programmer, photographer and writer.

Now go outside and look at the sky.

Daily Spam #3

My wife got a fake citibank email today...

Subject: Your Checking Account at Citibank.

From: Citibank (Carroll_Karlotte@collegeclub.com)

Well... the email address gave it away... :-)

Time to take out the magnifying glass and look a little bit closer at this specimen:

The collegeclub email address is probably fake - there seems to be a wave of spam coming from that server and I'd assume that this is a hacked open relay.

The email contains an address to a fake citibank URL which in reality goes to http://211.155.234.84/cgi-bin/s.pl which is a script on www.nanhua.net, a Chinese portal site. The script creates a fake citibank page which asks for identification in the form of your full name and the first 4 digits of your citibank account card (Yeah, right!).

If the user submits the page, he will indeed be sent to the citigroup.com server, so for most users this will be a completely transparent fake - they will never understand that they just sent some personal information to some scumbags who will then busily combine all this good data in their scam databases...

So where does the form send it's data? To rockahome@msbx.net, which does not seem to be reliably online (bad choice for a spammer!).

Oh - and how many people did receive this spam and click through? For once, we can actually watch in realtime, since these spammers use a russian tracking service (hotlog.ru) and the JavaScript in the fake citibank page contains the id number for the hit counter. Click here (http://hit5.hotlog.ru/cgi-bin/hotlog/count?s=126298&im=201) to see the current number of people who clicked on that spam link. 6 hours after we received the email, 46300 people had done so...

Update 8/20:

The page was taken down sometime yesterday I guess... and more than 182000 people must have clicked on the link in the original spam email, according to their hit counter (the link above still works!).

It's questionable if the spammers actually got much out of this since their email account for the forwarded user data seems to have been broken most of the time, but this was still a pretty scary piece of email scam.

Update 11/13

SecurityFocus has a great article about this scam. It seems that this and several other financial scams were done by the same gang.

© 1998 - 2019 Thomas Sturm