How strange, I received that in my email too.. -Henry
--- Niels Bakker <[EMAIL PROTECTED]> wrote: > > Speaking of computers fubar'ed by spyware, I just > found a particularly > nice example of a phishing attempt. SpamAssassin > had tagged it with the > astronomical score of 136.3 thanks to SARE. > > The mail originated from 68.77.56.130 (an > ameritech.net DSL connection, > right now not pingable) and loads some images from > www.citibank.com. > It links to http://61.128.198.51/Confirm/ - an IP > address hosted by > Chinanet (transit to there supplied by Savvis from > my point of view). > > That page does something interesting: it meta > refreshes itself to > Citibank's corporate homepage but also pops up a > window > (/Confirm/pop.php) requesting the user's card#, PIN > (twice) and a > new PIN. The main page being citibank probably > lends some credibility > to the scam. > > This attack won't work if your browser blocks > popups, or if you remember > that the padlock icon in the status bar is what > tells you the status of > a connection, not a "128-bit SSL" or "Verisign > trust-e" or whatever logo > inside the webpage. > > It's disheartening to see that this website is still > online after > several days (I received the scam mail received > Friday morning). > > I'm thinking that Citibank will cease to be a target > if they give (ok, > it's a bank - sell) their subscribers a hardware > token that requires > presence of the ATM card when the customer wants to > use online banking > facilities... as several banks here in the > Netherlands do. > > > -- Niels. >