lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20040320200238.WXSG3598.fep04-mail.bloor.is.net.cable.rogers.com@BillDell>
From: full-disclosure at royds.net (Bill Royds)
Subject: Another false Citibank e-mail...a new phishing?

Phishing mails don't have any need to use the %01 exploit if they can get
gullible people to click on a link in an email message that just has a plain
IP address as this one does.
That IP address has reverse lookup to
218-36-71-193.rev.krline.net
which has whois information
Registrant:
KrLine (KRLINE2-DOM)
   #203, Shinhan bldg, 902-55
   Togok-dong, Kangnamgu
   Seoul 135-270
   KR

   Domain Name: KRLINE.NET

   Administrative Contact, Technical Contact:
      KrLine Internet Service Inc.  (DM3184-ORG)  domain@...INE.NET
      #203, Shinhan bldg, 802-55
      Seoul, Seoul
      KR
      82-2-3461-3282 fax: 82-2-572-3471

   Record expires on 01-Oct-2006.
   Record created on 01-Oct-1999.
   Database last updated on 20-Mar-2004 14:59:12 EST.

   Domain servers in listed order:

   NS1.KRLINE.NET               211.47.128.1
   NS2.KRLINE.NET               211.47.128.2
========================================

Why do you think Citibank would use an ISP in Korea to check accounts? It is
an obvious phishing expedition.
The only thing new is that is using SSL for the connection to the scamp web
site to allow people to feel that it is somehow secure.


-----Original Message-----
From: full-disclosure-admin@...ts.netsys.com
[mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of Elia Florio
Sent: March 20, 2004 2:24 PM
To: full-disclosure@...ts.netsys.com
Subject: [Full-Disclosure] Another false Citibank e-mail...a new phishing?

I receveid this bad-spoofed-Citibank e-mail,
which points to a PHP page which ask 
for credit card number..........and stole it!!!
Is it the next phishing e-mail ? 

The link points to http://218.36.71.193:443/citi/

It does not use "%01" exploit to show a spoofed-URL in the Explorer bar.

EF

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ