Archiv verlassen und diese Seite im Standarddesign anzeigen : [citibank] Security Alert on Microsoft Internet Explorer

22.10.2004, 18:52
From - Fri Oct 22 xx:xx:xx 2004
X-UIDL: [UID filtered]
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <support [at] citibank.com>
Received: from (helo=mxng11.kundenserver.de)
by mqueue.kundenserver.de with ESMTP (Nemesis),
ID: [ID filtered]
Received: from [] (helo=66-200-154-67.client.dsl.net)
by mxng11.kundenserver.de with smtp (Exim 3.35 #1)
ID: [ID filtered]
for #MeinAccount#; Fri, 22 Oct 2004 xx:xx:xx +0200
X-Message-Info: 4LLii2807i651MPsxCR7tf819vhvKOWsNGHyeuWHcb42x
Received: from misty.com ([]) by dd4-fk802.misty.com with Microsoft SMTPSVC(5.3.7728.2637);
Fri, 22 Oct 2004 xx:xx:xx -0300
Received: from misty.com (misty.com [])
by misty.com (8.12.10/8.12.9) with ESMTP ID: [ID filtered]
for #MeinAccount#; Fri, 22 Oct 2004 xx:xx:xx +0300 (EST)
(envelope-from support#citibank*com)
Received: from PQ84096 (modemcable6.9-09.wz.misty.com [])
(authenticated bits=1)
by misty.com (8.12.10/8.12.9) with ESMTP ID: [ID filtered]
for #MeinAccount#; Fri, 22 Oct 2004 xx:xx:xx -0600 (EST)
(envelope-from support#citibank*com)
Message-ID: [ID filtered]
From: "Citibank" <support#citibank*com>
To: <Info>
Subject: Security Alert on Microsoft Internet Explorer
Date: Fri, 22 Oct 2004 xx:xx:xx -0500
MIME-Version: 1.0
Content-Type: multipart/alternative;
Envelope-To: #MeinAccount#
X-SpamScore: 0.345

Content-Type: text/html;
Content-Transfer-Encoding: 7Bit
<table border="0" cellpadding="0" cellspacing="0" width="600">
<td width="600" colspan="2"><a href=http://www.citibank.com/domain/images/citi44a.gif</a>" width="61" height="38" border="0" alt=""></td>
<td width="10"><SPACER height="1" width="10"
<td width="590">
<font color="#000066" face="Arial">

<font color="#000066" face="Arial">Dear Citibank Customer,

<font color="#000000" face="Arial">
At Citibank, we take security very seriously. As many customers already know, Microsoft Internet Explorer has significant `holes` or vulnerabilities that virus creators can easily take advantage of.

At Citibank, we maintain your personal information and data according to strict standards of security and confidentiality as described in the Terms and Conditions that govern your use of this site. Online access to your account portfolio is only possible through a secure web browser.

In order to further protect your account, we have introduced some new important security standards and browser requirements. Citibank security systems require that your computer system is compatible with our new standards.

This security update will be effective immediately. Please (<a href=)">sign on</a> to Citibank Online in order to verify security update installation. Failure to do so may result in your account being compromised.

Citibank Online


<td width="600" colspan="2" bgcolor="#000060"><SPACER height="1" width="600"
<td width="600" colspan="2" align="right"><font color="#777777" face="Arial" size="1">Copyright &copy; 2004 Citicorp</font></td>

Interessant ist die Weiterleitung der Adresse: nach
http://web.da-us.citibank.com%01 [at]
Opera warnt zumindest, ob man wirklich zu der adresse mit Benutzernahmen wechseln will.
Nach Eingabe des Benutzernamens und Kennwortes (die Verifikation dauert recht lange ;-)
erscheint eine Bitte, man solle die Eingaben Confirmen mit ATM/Debit-Card und PIN.
Das ist auf:
http://web.da-us.citibank.com%01 [at] (http://web.da-us.citibank.com)
Toll, da ist ja User und Pass in der URL codiert.
(der nun an seinem Zufalls-Javascript weiterschreiben geht.)

22.10.2004, 21:59
Guter Trick der Phisher, aber leider gibt es keine einzige legitime Mail mit ASCII 0x01 im Link, weshalb man darauf gefahrlos hart filtern kann.
Friss, Spammer, friss: http://docsnyder.de/spl/forum/

25.10.2004, 00:47
Bei mir natürlich auch:
Received: from [] (helo=host-217-172-241-50.gdynia.mm.pl)
by mx21.web.de with smtp (WEB.DE 4.102 #165)
ID: [ID filtered]
X-Message-Info: 3feyja9jmT/qHwPCLkfIOtmpRU250YLxu
Received: from FG43KT09 ([]) by VH70.banjo.bigpond.com with Microsoft SMTPSVC(5.0.2195.6713);
Sat, 23 Oct 2004 xx:xx:xx +0100
From: <support [at] citibank.com>
To: <poor [at] spamvictim.tld>
Subject: Security Alert on Microsoft Internet Explorer
Date: Sat, 23 Oct 2004 xx:xx:xx -0100
Message-ID: [ID filtered]
MIME-Version: 1.0
Content-Type: multipart/alternative;
X-Mailer: Microsoft CDO for Windows 2000
Thread-Index: [filtered]
Content-Class: xc:content-classes:message
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
X-Virus-Status: Scanned by norton
Sender: support [at] citibank.com