PDA

Archiv verlassen und diese Seite im Standarddesign anzeigen : [UCE/Phishing] Attention aII Citibank users!



Houser
14.06.2004, 10:54
Return-Path: <users-billing12 [at] citibank.com>
Delivered-To: poor [at] spamvictim.tld
Received: (qmail 31016 invoked from network); 15 Jun 2004 xx:xx:xx -0000
Received: from unknown (HELO me) (127.0.0.1)
by localhost with SMTP; 15 Jun 2004 xx:xx:xx -0000
Received: from mail.xxx.de
by mail ID: [ID filtered]
Tue, 15 Jun 2004 xx:xx:xx +0200
Received: (qmail 22493 invoked by UID: [UID filtered]
Received: from unknown (HELO xxx.de) (unknown)
by unknown with SMTP; 15 Jun 2004 xx:xx:xx -0000
Received: (qmail 4276 invoked by UID: [UID filtered]
Delivered-To: poor [at] spamvictim.tld
Received: (qmail 4274 invoked from network); 15 Jun 2004 xx:xx:xx -0000
Received: from users-billing12 [at] citibank.com by mail; 15 Jun 2004 xx:xx:xx -0000
Received: from dsl-80-46-185-1.access.uk.tiscali.com (80.46.185.1)
by mail.xxx.de with SMTP; 15 Jun 2004 xx:xx:xx -0000
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
FCC: mailbox://users-billing12 [at] citibank.com/Sent
X-Identity-Key: id1
Date: Tue, 15 Jun 2004 xx:xx:xx +0400
From: Citibank <users-billing12 [at] citibank.com>
X-Mozilla-Draft-Info: internal/draft; vcard=0; receipt=0; uuencode=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4) Gecko/20030624 Netscape/7.1 (ax)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: poor [at] spamvictim.tld
Subject: Attention aII Citibank users!
Content-Type: multipart/related;
boundary="------------030801030400090106040000"
X-AntiVirus: OK
Content-Type: image/gif;
name="brag.GIF"
Content-Transfer-Encoding: base64
Content-ID: [ID filtered]
Content-Disposition: inline;
filename="brag.GIF"
Citi
Dear client of the Citi,
As the Technical service of the Citibank have been currently updating the software,
We kindly ask you to follow the reference given below to confirm your data, otherwise
your access to the system may be blocked.
We are grateful for your cooperation
A member of citigroup
Copyright (c) 2004 Citicorp
h11ps://web.da-us.citibank.com/signin/sc.../user_setup.jsp (h11ps://web.da-us.citibank.com/signin/scripts/Iogin2/user_setup.jsp)
h11p://%32%30%36%2E%31%33%35%2E%31%33%2E%39%38:%34%39%30%33/%63%69%74/%69%6E%64%65%78%2E%68%74%6D">
<img SRC="cid:part1.09040208.04060004 [at] user-billing23@citibank.com" border="0">

TV It`s not to the point when placed smash barricades Angelia Jolie

Fidul
14.06.2004, 16:39
Die hex-codierte URL löst auf zu: 206.135.13.98:4903/cit/index.htm (anscheinend bereits tot). Das whois zu dieser IP ist interessant.
--
Wir kriegen euch alle!

mindphlux
14.06.2004, 16:41
Hotel in Beverly Hills, hm? Ob da jemand im Urlaub seinen Laptop als Server angeschlossen hat?

Spammer, go to http://www.arghcor.de/

pewe222
16.06.2004, 03:07
Diese Mails (betreffend die Citi-Bank) treffen inzwischen im Wochen-Rhythmus ein. Dagegen sind die von PayPal (angeblich) deutlich zurückgegangen.

Received: from [63.160.44.69] (helo=COREY-LQ2VPA4D9) by mx17.web.de with smtp (WEB.DE 4.101 #91) ID: [ID filtered]
Darunter ein GIF inclusive Text und Weiterleitung zu
https://freemailng0809.web.de/online/logic/download.htm?

mindphlux
18.06.2004, 17:58
Noch eins, diesmal etwas anders. Die URL ist bereits tot bzw. wird auf http://www.citi.com umgeleitet. In Thunderbird funktioniert der Spoof gar nicht, da man die Spoof-URL nicht anklicken kann.


From - Sat Jun 19 xx:xx:xx 2004
X-UIDL: [UID filtered]
X-Mozilla-Status: 0000
X-Mozilla-Status2: 00000000
Return-Path: <user-supports05 [at] citibank.com>
Delivered-To: xxx
Received: (qmail 10053 invoked from network); 19 Jun 2004 xx:xx:xx -0000
Received: from unknown ([62.67.200.162])
by twister.ispgateway.de (qmail-ldap-1.03) with QMQP; 19 Jun 2004 xx:xx:xx -0000
Delivered-To: CLUSTERHOST mx11.ispgateway.de xxx
Received: (qmail 21637 invoked from network); 19 Jun 2004 xx:xx:xx -0000
Received: from unknown (HELO adsl-69-108-32-81.dsl.lsan03.pacbell.net) ([69.108.32.81])
(envelope-sender <poor [at] spamvictim.tld>)
by mx11.ispgateway.de (qmail-ldap-1.03) with SMTP
for <xxx>; 19 Jun 2004 xx:xx:xx -0000
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
FCC: mailbox://user-supports05 [at] citibank.com/Sent
X-Identity-Key: id1
Date: Sat, 19 Jun 2004 xx:xx:xx -0300
From: Citi <user-supports05 [at] citibank.com>
X-Mozilla-Draft-Info: internal/draft; vcard=0; receipt=0; uuencode=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4) Gecko/20030624 Netscape/7.1 (ax)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: poor [at] spamvictim.tld
Subject: **SPAM** ! your account in Citibank
Content-Type: multipart/related;
boundary="------------000401050406000805060009"
X-Spam-Checker-Version: SpamAssassin 2.61 (1.212.2.1-2003-12-09-exp) on
mx11.ispgateway.de
X-Spam-Level: ******
X-Spam-Status: No, hits=6.4 required=9999.0 tests=FROM_ENDS_IN_NUMS,
HTML_70_80,HTML_FONTCOLOR_UNSAFE,HTML_IMAGE_ONLY_02,HTML_MESSAGE,
HTML_TAG_BALANCE_A,HTTP_ESCAPED_HOST,HTTP_EXCESSIVE_ESCAPES,
MIME_HTML_ONLY autolearn=no version=2.61
X-Bayesian-Result: Clean (2)
X-Bayesian-Words: 2000 56 275 50 account 7 cID: [ID filtered]
X-SpamPal: SPAM DSBL 69.108.32.81
This is a multi-part message in MIME format.
--------------000401050406000805060009
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit
<html><font face="Arial"><A HREF="https://web.da-us.citibank.com/signin/sc.../user_setup.jsp (https://web.da-us.citibank.com/signin/scripts/Iogin2/user_setup.jsp)"><map name="FPMap0"><area coords="0, 0, 610, 275" shape="rect" href="http://%32%31%31%2E%31%36%38%2E%31%33%35%2E%35%30:%34%39%30%33/%63%69%74/%69%6E%64%65%78%2E%68%74%6D"></map><img SRC="cid:part1.01020309.03020108 [at] users-support50@citibank.com" border="0" usemap="#FPMap0"></A></a></font>
<font color="#FFFFF6">in 1903 in 2000 What area, please? It`s nice Simpsons </font>
</html>
--------------000401050406000805060009
Content-Type: image/gif;
name="arizona.GIF"
Content-Transfer-Encoding: base64
Content-ID: [ID filtered]
Content-Disposition: inline;
filename="arizona.GIF"


"Africans, we count people first while money and other material things
come after." -- Ann, 419 scammer
Spammer, go to http://www.arghcor.de/

pp
19.06.2004, 09:14
und bei mir v. Heute...
Return-Path: <user-billing49 [at] citibank.com>
X-Original-To: ppp [at] ppp.de
Delivered-To: xxx
Received: from 0xd5aaec3d.dhcp.kabelnettet.dk (0xd5aaec3d.dhcp.kabelnettet.dk [213.170.236.61])
by xxx(Postfix) with SMTP ID: [ID filtered]
for <poor [at] spamvictim.tld>; Sat, 19 Jun 2004 xx:xx:xx +0200 (CEST)
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
FCC: mailbox://user-billing49 [at] citibank.com/Sent
X-Identity-Key: id1
Date: Sun, 20 Jun 2004 xx:xx:xx +0500
From: Citi <user-billing49 [at] citibank.com>
X-Mozilla-Draft-Info: internal/draft; vcard=0; receipt=0; uuencode=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4) Gecko/20030624 Netscape/7.1 (ax)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: poor [at] spamvictim.tld
Subject: !0fficiaI Notice for aII Citibank users [Sun, 20 Jun 2004 xx:xx:xx +0600]
Content-Type: multipart/related;
boundary="------------090404050805050201050009"
Message-ID: [ID filtered]
X-UIDL: [UID filtered]

pp
19.06.2004, 19:40
Und wieder, aber diesmal verlink hex-codiert auf: http://4.8.204.251:4903/cit/index.htm Diesmal ein Hotel in LA http://img.homepagemodules.de/frage.gifhttp://img.homepagemodules.de/hmm.gif
Return-Path: <users-billing1 [at] citibank.com>
X-Original-To: www [at] www.de
Delivered-To: xxx
Received: from 81.209.184.239 (unknown [210.205.206.90])
by xxx(Postfix) with SMTP ID: [ID filtered]
for <poor [at] spamvictim.tld>; Sun, 20 Jun 2004 xx:xx:xx +0200 (CEST)
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
FCC: mailbox://users-billing1 [at] citibank.com/Sent
X-Identity-Key: id1
Date: Sun, 20 Jun 2004 xx:xx:xx -0300
From: Citi <users-billing1 [at] citibank.com>
X-Mozilla-Draft-Info: internal/draft; vcard=0; receipt=0; uuencode=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4) Gecko/20030624 Netscape/7.1 (ax)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: poor [at] spamvictim.tld
Subject: !Citibank reguIar verification of the accounts [Mon, 21 Jun 2004 xx:xx:xx +0600]
Content-Type: multipart/related;
boundary="------------060400040803040403090004"
Message-ID: [ID filtered]
X-UIDL: [UID filtered]

Stalker2002
27.06.2004, 14:28
Phishing läuft mittlerweile auch nach Schema-F.
Am 19. ist bei mir die übliche Citi-Bank Mail eingegangen
Received: from [203.222.24.37] (helo=YOUR-5TOBLW0WQW) by mx25.web.de with smtp (WEB.DE 4.101 #26) ID: [ID filtered]
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
FCC: mailbox://user-supports04 [at] citibank.com/Sent
X-Identity-Key: id1 Date: Sat, 19 Jun 2004 xx:xx:xx -0200 From: Citibank
X-Mozilla-Draft-Info: internal/draft; vcard=0; receipt=0; uuencode=0 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4) Gecko/20030624 Netscape/7.1 (ax)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: nichtmeineAdresse
Subject: your account - Citibank [Sun, 20 Jun 2004 xx:xx:xx +0300]
Content-Type: multipart/related; boundary="------------070902010807080709090006"
Message-Id:
Sender: user-supports04 [at] citibank.com

dear client of the citi,
As the technical service of the Citibank have been currently updating the software, We kindly ask you to follow the reference given below to confirm your data, otherwise your access to the system may be blocked
hXXps://web.da-us.citibank.com/signin/sc.../user_setup.jsp (hXXps://web.da-us.citibank.com/signin/scripts/login2/user_setup.jsp)
We are grateful for your cooperation.
Verlinkt auf irgendwas %-Codiertes, das ein Popup aufreist, welches ständig den Focus an sich zieht und auch reichlich ALT-F4-resistent ist. im eigentlichen Fenster wird dann eine echte Seite der Citibank geöffnet, welches wohl die Glaubwürdigkeit unterstreichen soll.
Und nun der Hammer:
Heute schlägt bei mir eine Mail auf, welche bis auf das Logo und den Begriff Citibank voll identisch ist.
Jetzt ist es auf einmal die U.S.-Bank.
Received: from [82.197.207.59] (helo=217.72.192.149) by mx20.web.de with smtp (WEB.DE 4.101 #26) ID: [ID filtered]
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
FCC: mailbox://user-billing41 [at] usbank.com/Sent
X-Identity-Key: id1
Date: Sun, 27 Jun 2004 xx:xx:xx -0700
From: US Bank X-Mozilla-Draft-Info: internal/draft; vcard=0; receipt=0; uuencode=0 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4) Gecko/20030624 Netscape/7.1 (ax)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: auchnichtmeineAdresse
Subject: To all US Bank users!
Content-Type: multipart/related; boundary="------------000706070109000705040002"
Message-Id:
Sender: user-billing41 [at] usbank.com
HTML-Mail, verlinkt auf:
hXXp://%32%31%31%2e%32%33%32%2e%31%34%33%2e%32%32%37:%34%39%30%31/%63%66%6D/%69%6E%64%65%78%2E%68%74%6D
MfG
L.
P.S.: Hallo web.de?!? Was soll das mit dem Header als Einzeiler?
Denkt ihr etwa ich habe meine Zeit gestohlen, das ich sowas regelmäßig selber formatiere?
---
"Der Grund war nicht die Ursache, sondern der Auslöser."
Franz "der Kaiser" Beckenbauer

Fidul
27.06.2004, 19:29
Die letzte Phishing URL 211.232.143.227:4901/cfm/index.htm liegt wieder einmal in Korea.
--
Wir kriegen euch alle!