How strange, I received that in my email too.. -Henry --- Niels Bakker <niels=nanog@bakker.net> wrote:
Speaking of computers fubar'ed by spyware, I just found a particularly nice example of a phishing attempt. SpamAssassin had tagged it with the astronomical score of 136.3 thanks to SARE.
The mail originated from 68.77.56.130 (an ameritech.net DSL connection, right now not pingable) and loads some images from www.citibank.com. It links to http://61.128.198.51/Confirm/ - an IP address hosted by Chinanet (transit to there supplied by Savvis from my point of view).
That page does something interesting: it meta refreshes itself to Citibank's corporate homepage but also pops up a window (/Confirm/pop.php) requesting the user's card#, PIN (twice) and a new PIN. The main page being citibank probably lends some credibility to the scam.
This attack won't work if your browser blocks popups, or if you remember that the padlock icon in the status bar is what tells you the status of a connection, not a "128-bit SSL" or "Verisign trust-e" or whatever logo inside the webpage.
It's disheartening to see that this website is still online after several days (I received the scam mail received Friday morning).
I'm thinking that Citibank will cease to be a target if they give (ok, it's a bank - sell) their subscribers a hardware token that requires presence of the ATM card when the customer wants to use online banking facilities... as several banks here in the Netherlands do.
-- Niels.