Virus

HTML/Citifraud

Analysis

  • This threat is malicious by design, it uses a URL spoof to trick users when clicking a hyperlink within an HTML composed email message
  • The hyperlink abuses the user's trust and design of RFC2617 with respect to logon syntax
  • The construct of the URL spoof directs the web browser to a hacker's web page instead of Citibank, the web site referenced in the HTML email
  • T he email does contain links to picture files stored on the real Citibank web site - this tactic is considered social engineering as a method to gain credibility
  • A n email message was spammed to numerous email addresses composed with the following basic content -

    On January 10th 2004 Citibank had to block some accounts in our system connected with money laundering, credit card fraud, terrorism and check fraud activity. The information in regards to those accounts has been passed to our correspondent banks, local, federal and international authorities.

    Due to our extensive database operations some accounts may have been changed. We are asking our customers to check their checking and savings accounts if they are active or if their current balance is correct.

    Citibank notifies all it's customers in cases of high fraud or criminal activity and asks you to check your account's balances. If you suspect or have found any fraud activity on your account please let us know by logging in at the link below.

    Click Here To Login

  • If the hyperlink is selected, the web browser will not connect to Citibank, but would instead visit the web address 211.239.150.170 and reference the page "login.htm"

  • The user would give away logon credentials entered

Recommended Action

  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option

  • If the email server allows it, disable HTML format email so that all messages are viewed in standard text
  • Recommend users also use plain text when viewing email messages
  • Avoid clicking hyperlinks in HTML format email messages - open a web browser and visit the intended web site by entering the URL manually