February 2nd, 2004

(no subject)

As a followup to my last post, I actually just got one of these emails. Its hardly well crafted, but I thought looking at one in action might help it hit home.


From - Mon Feb 02 12:29:37 2004
X-UIDL: b4913f392c6cf847f53fb50a8377ae88
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
X-Apparently-To: my@email via; Mon, 02 Feb 2004 09:26:51 -0800
Return-Path: <debugger@pcmail.com.tw>
Received: from (HELO grfw-d9ba8e05.pool.mediaWays.net) (
by mta119.mail.sc5.yahoo.com with SMTP; Mon, 02 Feb 2004 09:26:49 -0800
Received: from pcmail.com.tw (pcmail-com-tw-bk.mr.outblaze.com [])
by grfw-d9ba8e05.pool.mediaWays.net (Postfix) with ESMTP id E09FB842E2
for <my@email>; Mon, 02 Feb 2004 12:23:05 -0500
Message-ID: <101101c3e9b1$565e591a$8f3dfcf9@pcmail.com.tw>
From: _CITIBANK_ <debugger@pcmail.com.tw>
To: Cariaso <my@email>
Subject: Citi _EMAIL Veerification - my@email
Date: Mon, 02 Feb 2004 12:23:05 -0500
MIME-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1106
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2505.0000
X-AntiVirus: skaner antywirusowy poczty Wirtualnej Polski S. A.

Dear _Citibank_ _User_,

This_ email was sentt by-the citibank_ server to
veerify your_ _EMAIL_ addres.
You musst ceplomte this pecosrs by clicking on the_ link
below and enteering in the smal window_ your Citi-bank
_ATM_ Card Number and Pin that you use on_the Atm_machine.
That is done for your preotction -A- because some_of our
_members_ no lgneor have acecss to their email adsesedrs
and we must verify it.


To veerify your EMAIL adderss and acccess _your_ _citibank
account, click on _the link beloww.


So lots of typos, there is your first give away, but you can assume that a really clever crook might use the spellchecker.

Next the url does look like what I described. It begins with what looks like a hostname but is infact just the username portion of a longer url.

All of those %7a %68 etc are an alternate way of writing the url. It means character 78 (in hex) followed by character 68 (in hex) etc. And when you expand all of those you see that the real human readable url is...

eekbitz should now be trained in how to do this, and I'll leave it up to her to do the full translation, but this points to a site in russia (eek: look at the domain name), which is definitely warez related.


Now the email appears to have been sent from servers in taiwan (.tw) possibly with a few stops along the way in the US, but some of this info can be forged so I'm not positive.

Click on the link. Its reasonably safe ;)

Seriously, its probably ok, and very educational. Just dont accept any downloads, or enter any personal information.

It seems to hop through a few servers, and then take you to a very real looking citibank site. But its a fake.

Try and type that same url in a browser (www.citi-online.net) and there is no such server. You're not really visting that url. I could go on, there is tons more interesting forensics here, but I need to work.