Re: [Declude.JunkMail] Another scam

[Matthew Bramble]

Care to share the headers?

BTW, I was wrong about the Zap The Dingbat thing, he hid the address bar 
and used HTML to make a fake address bar.  It was all done in PHP and 
very nicely coded.  Maybe there aren't enough real jobs out there for 
Web designers :)

Matt



John Tolmachoff (Lists) wrote:

FYI, I did add this for it:

HEADERS	15	CONTAINS	citibanksecure

John Tolmachoff
Engineer/Consultant/Owner
eServices For You
 

-----Original Message-----
From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
[EMAIL PROTECTED] On Behalf Of Matthew Bramble
Sent: Friday, January 02, 2004 9:30 AM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] Another scam
The payload on this goes to a site that pops up a window using Zap The
Ding Bat URL obfuscation to make the URL look like it is the real
Citibank site.  Very dangerous and because it's being redirected on that
site, you can't catch the technique in the E-mail.
I contacted the hosting provider as a community service.

Matt



John Tolmachoff (Lists) wrote:

   

I wonder how many people will actually fall for this:

--=_579b51922d72e436946615fa16088dbb
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
--=_579b51922d72e436946615fa16088dbb
Content-Type: text/html; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
<body bgcolor=3D"#FFFFFF" text=3D"#000000"> <DIV>Dear Citibank
     

Member,</DIV=
   

<DIV><BR>This email was sent by the Citibank server to verify your E-
     

mail<B=
   

R>address. You must complete this process by clicking on the
     

link<BR>below =
   

and entering in the small window your Citibank ATM/Debit<BR>Card number
     

and=
   

PIN that you use on ATM.<BR>This is done for your protection -- because
     

so=
   

me of our members<BR>no longer have access to their email addresses and
     

we =
   

must<BR>verify it.</DIV>
<DIV><BR>To verify your E-mail address and access your bank
     

account,<BR>cli=
   

ck on the link below:</DIV>
<DIV><BR><A
     

href=3D"http://65.246.58.14/baluci/scripts/email_verify.htm";>ht=
   

tps://web.da-
     

us.citibank.com/signin/citifi/scripts/email_verify.jsp</A></DI=
   

V>
<DIV><BR>-----------------------------</DIV>
<DIV>Thank you for using Citibank</DIV>
<DIV>-----------------------------</DIV> </body>
--=_579b51922d72e436946615fa16088dbb--
John Tolmachoff
Engineer/Consultant/Owner
eServices For You
     



---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.