TCS - Verify your E-mail with Citibank

Verify your E-mail with Citibank

by Don Singleton
Tulsa Computer Society
From the April 2004 issue of the I/O Port Newsletter

I received an email, supposedly from support@citibank.com, with the subject Verify your E-mail with Citibank. Note the email did not have any background color; the color below was added to make it clear what part was from the email, and what part of this article I wrote.

Dear Citibank Member,

This email was sent by the Citibank server to verify your E-mail address. You must complete this process by clicking on the link below and entering in the small window your Citibank ATM/Debit Card number and PIN that you use on ATM.

This is done for your protection - because some of our members no longer have access to their email addresses and we must verify it.

To verify your E-mail address and access your bank account, click on the link below:
https://web.da-us.citibank.com/signin/citifi/scripts/email_verify.jsp

That looks like a URL for Citibank, doesn't it? However clicking on it would take one to http://www.securecitibank.us/scripts/email_verify.htm, rather than the real Citibank URL.

According to http://samspade.org/ the domain www.securecitibank.us is registered to wayne stanford, 3057 sunrise cir, marina, CA and the domain nameservers for that domain are provided by CHEAPBPHOSTING.COM (NameCheap.com).

I did a VisualRoute trace to www.securecitibank.us and I see the server is in China:

I don't even have a CitiBank card, but I decided to pretend I did, and that I foolishly wanted to comply with the email so I went ahead and went to http://www.securecitibank.us/scripts/email_verify.htm and with ZoneAlarm Pro active I would not have seen anything, because I got a web page that tried to spawn a new web page in such a manner that ZoneAlarmPro blocked it, i.e. it used the following JavaScript:

function closeMe() {
window.opener = self;
window.close();
}
function MM_openBrWindow(theURL,winName,features) { //v2.0
window.open(theURL,winName,features);

And the web page had:
<body onLoad="closeMe();MM_openBrWindow('sys.php','ini','toolbar=yes,location=no, status=yes,menubar=yes,scrollbars=no,resizable=yes,width=800,height=600')">

but I temporarilly stopped ZoneAlarmPro and got:

The Chineese do have one error in their web page, because I got:

Warning: session_start(): open(/tmp\sess_4f2ec4a684ceb1f644c596d99cc05b38, O_RDWR) failed: No such file or directory (2) in d:\domains\securecitibank.us\wwwroot\scripts\vdaemon\vdaemon.php on line 78

Except for that, it sure looks like CitiBank, doesn't it? It even appears that I am at the real Citibank server, i.e.
https://web.da-us.citibank.com/signin/citifi/scripts/email_verify.jsp

But note, the URL has https, which means it is supposedly on a secure server, yet at the bottom of the screen I do not see the yellow padlock that I should see if I were really on a Secure Server. I tried going to the URL on the real Citibank server and although that URL does not exist there (I got Page Not Found 404), I do see the yellow padlock:

How did the Chineese fool my Internet Explorer? For the answer I saved the Chineese web page to my hard disk and looked at the graphic files, and see:

Note the graphics, and take a look at your own Internet Explorer. They actually faked the URL line from Internet Explorer. How did they do that? Let us take a look at some of the code in their web page. Note in particular the two items in red: the fake URL and the go1.gif file which is the graphic at the right side of the Internet Explorer bar, and note the URL in Blue, which is the real site where the data will be transferred.

<TABLE borderColor=#c0c0c0 cellSpacing=0 cellPadding=0 width="100%" border=0> <TR> <TD style="BACKGROUND-POSITION: left 50%; BACKGROUND-IMAGE: url(ress.gif); BACKGROUND-REPEAT: no-repeat" align=left width="81%" height=22><INPUT class=indent id=newAddr style="BACKGROUND-POSITION: left top; FONT-SIZE: 8pt; BACKGROUND-IMAGE: url(ie2.gif); WIDTH: 100%; BACKGROUND-REPEAT: no-repeat; HEIGHT: 22px" size=50 value=" https://web.da-us.citibank.com/signin/citifi/scripts/email_verify.jsp" name=no> </TD> <TD width=146 bgColor=#c0c0c0 height=22><A onmousedown="MM_swapImage('Image2','','pdownclick.gif',1)" style="CURSOR: default" onmouseout=MM_swapImgRestore() href="http://www.securecitibank.us/scripts/sys.php#"><IMG onclick="MM_showHideLayers('pop','','show')" height=21 src="Citi_files/pdown.gif" width=17 border=0 name=Image2></A><A onmousedown="MM_swapImage('Image1','','go1click.gif',1);MM_displayStatusMsg('Done');return document.MM_returnValue" onmouseover="MM_swapImage('Image1','','go1roll.gif',1);MM_displayStatusMsg('Done');return document.MM_returnValue" onmouseout=MM_swapImgRestore() href="file:///E:/"><INPUT id=Image1 style="CURSOR: default" onclick=go() type=image height=22 width=49 src="Citi_files/go1.gif" border=0 name=image1> </A></TD></FORM></TR> </TABLE>

This code creates:

As Hoagy Carmichael's 1939 song, written by Johnny Mercer said, Darn Clever These Chinese.

I told Spam Inspector to bounce the message, and got:

I have said this in other articles, but it is worth repeating:
If you get an email that either asks you to directly enter your account number, password, or other private data, or if it takes you to a specific web page which asks for that information, don't provide it.



For more information on the Tulsa Computer Society click here



Tulsa Computer Society 4/01/2004
Don Singleton, President