The unique message was

Recently there have been a large number of identity theft attempts targeting Citibank customers. In order to safeguard your account, we require that you update your Citibank ATM/Debit card PIN. This update is requested of you as a precautionary measure against fraud. Please note that we have no particular indications that your details have been compromised in any way. This process is mandatory, and if not completed within the nearest time your account may be subject to temporary suspension. Please make sure you have your Citibank ATM/Debit card and recent statement at hand. To securely update your Citibank ATM/Debit card PIN please go to: https://www.citibank.com/signin/citifi/scripts/login2/update_pin.jsp Please note that this update applies to your Citibank ATM/Debit card - which is linked directly to your checking account, not Citibank credit cards. Thank you for your prompt attention to this matter and thank you for using Citibank! Regards, Aron Prince Head of Citi® Identity Theft Solutions Copyright © 2004 Citicorp. All rights reserved. Do not reply to this email as it is an unmonitored alias.

Clicking on the link actually takes you to http://www.easysolutions24.net/verify/citipop.htm

The domain easysolutions24.net was registered on April 5, 2004 (6 days before I got the message), and it is registered to someone in Germany - Ludwig Ritz (email address fakieshop@hotmail.com) Mandlstrasse 12, Muenchen, De, 80802, Germany) and the server is in Germany:

This one is really strange, because the page there uses this html code:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Citipop</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">

<script language="JavaScript" type="text/javascript"> 
        <!-- Hide script from older browsers 
        setTimeout ("changePage()", 0);

        function changePage() {
                if (self.parent.frames.length != 0)
                        self.parent.location=document.location;
                }
// end hiding contents -->
</script>
<meta http-equiv="refresh" content="0;URL=https://web.da-us.citibank.com/cgi-bin/citifi/scripts/home/visitor_homepage.jsp">
<SCRIPT LANGUAGE="JavaScript">
 <!--begin
{
 window.open('http://www.easysolutions24.net/verify/index.php','MyWindow','scrollbars=no,resizable=no,toolbar=no,width=350,height=450,left=350,top=200');

 }
 // end -->
 </SCRIPT>
</head>

<body>

</body>
</html>

And that code seems to open a window on their server for http://www.easysolutions24.net/verify/index.php which is definitely an Identity Theft page

although I never saw that window (even if I halted ZoneAlarmPro). And it also does a "refresh" transfer to https://web.da-us.citibank.com/cgi-bin/citifi/scripts/home/visitor_homepage.jsp which is a real Citibank page:

I don't understand what is going on. Possibly they may let the redirect work most of the time, and disable it some of the time to let the other screen pop up to capture your data. I don't see how they intercept the data entered into the real Citibank site, but I certainly would not trust entering any data into a web page I saw by clicking any link from an email message, especially one that was sent by someone not associated with the company, and who also has a web page on his server which definitely is trying to steal personal information. However I personally would not enter data into any website whose link came to me from an unsolicited email message, regardless of who sent it. If a company wants me to go to their website and do something, I will use a link that I have used in the past, and that I have in my Favorites. If someone I know sends me a link to something they want me to look at, I may go to that site to just look, but I would not enter any personal data into such a site.

If anyone understands exactly what that HTML code does, let me know.

I got several copies of another scam message

Dear Citibank Member, As part of our continuing commitment to protect your account and to reduce the instance of fraud on our website, we are undertaking a period review of our member accounts. You are requested to visit our site, login to your account and fill in the required information. https://secure.citibank/support/update.html This is required for us to continue to offer you a safe and risk free environment to send and receive money online and maintain the experience. Thank you, Accounts Management As outlined in our User Agreement, citibank will periodically send you information about site changes and enhancements. Visit our Privacy Policy and User Agreement if you have any questions. --------------------------------------------- Thank you for using Citibank! --------------------------------------------- Do not reply to this email.

Clicking on the link would take you to http://www.imagescreativegroup.org/nuclear/index.html

That site has an operational server on it, but it does not have anything at that URL. The domain has been registered since Oct 16, 1998, although some sort of change was made to their registration on April 7, 2004 (14 days before I received the message). The site that is there makes me believe that they plan to disrupt the IP routing tables temporarilly to substitute a server to hijack information, like I described in the article on Update Your eBay Account in this issue of the I/O Port, although it is possible that the activity on April 7 was a test run, and they may have obtained access to the Domain Registrar's service, and they may plan to temporarilly change the Name Server entries when they are ready to hijack Information.

Messages similar to the one last month

I got three messages like the one last month, supposedly from support@citibank.com, with the subject Verify your E-mail with Citibank. Note the email did not have any background color; the color below was added to make it clear what part was from the email, and what part of this article I wrote.

Dear Citibank Member, This email was sent by the Citibank server to verify your E-mail address. You must complete this process by clicking on the link below and entering in the small window your Citibank ATM/Debit Card number and PIN that you use on ATM. This is done for your protection - because some of our members no longer have access to their email addresses and we must verify it. To verify your E-mail address and access your bank account, click on the link below: https://web.da-us.citibank.com/signin/citifi/scripts/email_verify.jsp

Just like last month I had to shut down ZoneAlarmPro before I could see the web page. Last month they had one error in their web page, because I got:

Warning: session_start(): open(/tmp\sess_4f2ec4a684ceb1f644c596d99cc05b38, O_RDWR) failed: No such file or directory (2) in d:\domains\securecitibank.us\wwwroot\scripts\vdaemon\vdaemon.php on line 78

They fixed that bug this month, because I did not get an error. The web page looks like a Citibank website:

Like last month, they faked the location line of the browser by building it themselves with graphics from a real browser, and it appears to be a secure web page (note the https, but while they faked up the top part of the browser window, they did not bother to fake the bottom part, because there is no yellow padlock like this:

which you should always see when the browser is displaying a secure web page.

Last month the URL appeared the same as this month. Last month it really took the viewer to http://www.securecitibank.us/scripts/email_verify.htm, but this month it went to http://www.strongsite.us/scripts/email_verify.htm.

The domain strongsite.us is registered to Charles Maloney, 65 Munro Blvd, Valley Stream, NY, and it was registered on April 9 (just two days before it was used).

The IP address changed; last month it was 61.141.32.170; this month it was 61.141.32.189; but it was still in China:

I have said this in other articles, but it is worth repeating:
If you get an email that either asks you to directly enter your account number, password, or other private data, or if it takes you to a specific web page which asks for that information, don't provide it.

For more information on the Tulsa Computer Society click here