CitiBank swims with the phishers
Here's a quite convincing phishing-scam email, purportedly from Citi-bank.  A nice description of the scam is provided at About.com, where they mention that Citibank is often targeted in these phishing scams. I found it amusing that one of the sponsored advertisements on the page was for Citibank (image below). Are they really likely to get new customers because of this kind of negative activity? Certainly the ad should address security concerns, not interest rates.  ( Julia Lerman mentioned this scam a while back, too.)
Full size image
'William' on Wed, 06 Oct 2004 23:56:55 GMT, sez: I saw this one not long ago as well.
The odd thing though when I received it, it was just an image. The whole message was just that one single image. So no matter where you clicked in the message, you'll be directed to the website.
In outlook express that meant that you couldn't just do a right-click and do a "copy-shortcut".
'leon' on Thu, 07 Oct 2004 01:17:38 GMT, sez: yep will - same here -- it's just an image.
i managed to do a view source of the email.
the image source was somthing like this: cid:part1.[...]@supprefnum[...]@citibank.com
{i've removed the numbers that were in there}. i was suprised that outlook let the image in at all.
Interestingly, the source also contained a bunch of words fitting into common and popular topics. (for example: "The Simpsons Tony Hawk Pro Skater 2, Brittany Murphy").
(I've seen this same trick done in a few spams lately)
I assume it's done to get past mail filters, and that the text is automatically generated from some unrelated websites, like the lycos top 50 or something. That way the text is forever changing, and always on topics too popular to be routinely blocked.
'Will' on Thu, 07 Oct 2004 02:25:24 GMT, sez: Cool, well at the time I didn't investigate it any further.
Interesting though, the other observations you've made which resulted in finding the other details.
Yeah, the spammers are getting, dare I say, "smarter" than the average bear. I've had word based email filters for awhile, and now they've started to replace certain letters in words with for example replacing the letter i with ì. (Emails containing certain words go into the Deleted Items folder, etc...)
Little things like that.
Bit annoying, as it means i'll need to update my email filter.
'William' on Fri, 08 Oct 2004 02:52:00 GMT, sez: Just got this exact email this morning in my inbox.
So, I decided I should check out the source code to see if it did contain what you mentioned (about the additional words that were inserted). And yep, they were there, and they seemed as random as random can be!
Another interesting item I found was "Content-Disposition: inline". I have no idea what that means, so I decided to go look it up.
Sure enough, it was something interesting, and it answers your question as to why outlook didn't block the image.
Outlook only blocks external images (eg: images located on outside servers and so on).
From rfc2183: "If the 'inline' disposition is used, the multipart should be displayed as normal; however, an 'attachment' subpart should require action from the user to display." -- if inline and not attachment is used, then image will be displayed upon message opening (this is why Outlook doesn't show it as an attachment.)
Is 'Content-Disposition: inline' dangerous in the wrong hands? Most definately.
'leon' on Fri, 08 Oct 2004 04:32:35 GMT, sez: ah -- well spotted Will.
i guess spam filters will start using image scanning with OCR technology soon enough, if images have to be allowed in.
|
secretGeek .:dot Nuts about dot Net:.
Do they store the code for TFS in TFS?
The Best Software Writing I
The Business Of Software (Eric Sink)
bookmark at Del.icio.us!
reddit this