Tuesday, July 10, 2012

No, I Do Not Owe a Ginormous Amount of Money on the Citibank Card Statement I Just Received

Received an authentic looking email claiming to be from Citibank saying that my "Citi Credit Card is ready to view online". The email goes on to say that my on the statement date of July 12th, the balance was $2096.72 -- and a minimum payment of $1498.45 due on July 15th.

The email is clearly fake and is apparently malicious.

What it does right -- it uses the Citibank Email Alert template, right down to the color schemes, fonts, and layout.

What it does wrong (beyond how I do not owe Citibank any money) -- the top right corner of authentic Citibank Account Information emails always contains the cardholder name and unique information about the account in a box marked "Email Security Zone". This scam email could not duplicate the authentic information and has left the "Email Security Zone" box blank.

All of the links in email also refer to a single non-Citibank site:
http://ftp [DOT] cmarcas [DOT] com [DOT] br/wowat2fJ/index [DOT] html

Opening up the link in a test sandbox found that it displayed in my browser:

And then it tried to push what looked like a Javascript Redirector Trojan (JS.Trojan.Redir-7) to my machine, which tried to open three different target javascripts:
http://sinergitech [DOT] co [DOT] id/oQknpJvM/js [DOT] js

http://caterpillarboutiquesqld [DOT] com [DOT] au/hrSEkYvF/js [DOT] js

http://lunal [DOT] ivyro [DOT] net/rQZQ1RNx/js [DOT] js

Each of these three sites pulled the same exact javascript code. Perhaps the malicious guy/gal on the other end of this was trying to obfuscate the truly malicious site. Or they were thinking that having three initial sites to pull their javascripts from would allow this thing to run longer as it would take more time to kill three sites as opposed to just a single one.

Whatever the case, the javascript code from these three sites all then tried to redirect my machine to:
http://sam-latrilogie [DOT] com:8080/go [DOT] php?d=3f34337dca7d6c7a

This PHP script then tried to exploit (via Exploit.BlackHole.17) a well documented critical security hole (CVE-2006-0003) which previously impacted Windows XP and older machines. This issue was fixed via a security patch in 2006, but this email is looking for those many many people who do not install all (or any) security patches.

Good times

Glad this is a Fake Citibank Email as those are some really crappy credit card terms.
Glad this is a Fake Citibank Email as those are some really crappy credit card terms.