- Oct 9, 1999
- 21,019
- 156
- 106
I like picking apart phishing emails to see how obvious (or not) the attempt is. This one has me stumped. The headers look legit. The domain in the link is not owned by Citibank according to internic.net's whois (it was just registered a couple days ago) but if you go to www.citibank-us.org it redirects to citibank.com. Yet I know this is a phishing attempt from the poorly worded email.
Could it be that Citibank has taken over the domain and forced it to redirect to them? That's the only thing that would make sense to me.
---start of headers---------------
Return-Path: <support@citibank.com>
Received: from mailexchanger2.MyISP.com (mailexchanger2.MyISP.com [208.x.x.x])
by oldmail.MyISP.com (8.12.10/8.12.10) with ESMTP id i8LCUZwa000800
for <xxxxxxx@mail.MyISP.com>; Tue, 21 Sep 2004 08:30:35 -0400 (EDT)
Received: from adsl-68-22-198-146.dsl.chcgil.ameritech.net (adsl-68-22-198-146.dsl.chcgil.ameritech.net [68.22.198.146])
by mailexchanger2.MyISP.com (8.12.10/8.12.10) with SMTP id i8LCaHK1053934
for <xxxxxxx@MyISP.com>; Tue, 21 Sep 2004 08:36:18 -0400 (EDT)
Received: from citibank.com (mail2.citigroup.com [192.193.226.98])
by adsl-68-22-198-146.dsl.chcgil.ameritech.net (Postfix) with ESMTP id F64947C9D0
for <xxxxxxx@MyISP.com>; Tue, 21 Sep 2004 05:29:07 -0700
Reply-To: Citibank <support@citibank.com>
From: Citibank <support@citibank.com>
To: xxxxxxx <xxxxxxx@MyISP.com>
Subject: Please confirm your account
Date: Tue, 21 Sep 2004 05:29:07 -0700
Message-ID: <100101c49fd6$2554cdc3$e9fc469d@citibank.com>
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0013_AC99695A.FE7D0301"
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook, Build 10.0.2616
Importance: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
X-Virus-Scanned: by Ameriserv.net Anti-Virus E-Gateway
X-Scanned-By: MIMEDefang 2.40
X-UIDL: E9h"!8`S"!JJ`"!+W!#!
--------end headers--------------------
Relevant section of body:
<html>
<body>
<img src=3d"http://www=2ecitibank-us=2eorg/signin/citifi/scripts/login2/h=
eader=2egif">
<br><br>
<P align=3d"left"><font face=3d"Trebuchet MS">
Dear valued Citibank member,=20
<br><br>
Due to concerns, for the safety and integrity of the online banking commu=
nity we have issued the following warning message=2e
<br><br>
It has come to our attention that your account information needs to be co=
nfirmed due to inactive customers, fraud and spoof reports=2e If you coul=
d please take 5-10 minutes out of your online experience and renew your r=
ecords you will not run into any future problems with the online service=2e=
However, failure to confirm your records may result in your account susp=
ension=2e
<br><br>
Once you have confirmed your account records your internet banking servic=
e will not be interrupted and will continue as normal=2e
<br>
&nbsp;</font><P align=3d"left"><font face=3d"Trebuchet MS">Please <a href=
=3d"http://www=2ecitibank-us=2eorg/signin/citifi/scripts/login2/index=2eh=
tml" target=3d"_blank">click here</a> to confirm your bank account record=
s=2e
<br><br><br>
Thank you for your time,
<br>
Citibank Billing Department=2e<br></a></font><hr><font face=3d"Trebuchet =
MS">=20
Could it be that Citibank has taken over the domain and forced it to redirect to them? That's the only thing that would make sense to me.
---start of headers---------------
Return-Path: <support@citibank.com>
Received: from mailexchanger2.MyISP.com (mailexchanger2.MyISP.com [208.x.x.x])
by oldmail.MyISP.com (8.12.10/8.12.10) with ESMTP id i8LCUZwa000800
for <xxxxxxx@mail.MyISP.com>; Tue, 21 Sep 2004 08:30:35 -0400 (EDT)
Received: from adsl-68-22-198-146.dsl.chcgil.ameritech.net (adsl-68-22-198-146.dsl.chcgil.ameritech.net [68.22.198.146])
by mailexchanger2.MyISP.com (8.12.10/8.12.10) with SMTP id i8LCaHK1053934
for <xxxxxxx@MyISP.com>; Tue, 21 Sep 2004 08:36:18 -0400 (EDT)
Received: from citibank.com (mail2.citigroup.com [192.193.226.98])
by adsl-68-22-198-146.dsl.chcgil.ameritech.net (Postfix) with ESMTP id F64947C9D0
for <xxxxxxx@MyISP.com>; Tue, 21 Sep 2004 05:29:07 -0700
Reply-To: Citibank <support@citibank.com>
From: Citibank <support@citibank.com>
To: xxxxxxx <xxxxxxx@MyISP.com>
Subject: Please confirm your account
Date: Tue, 21 Sep 2004 05:29:07 -0700
Message-ID: <100101c49fd6$2554cdc3$e9fc469d@citibank.com>
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0013_AC99695A.FE7D0301"
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook, Build 10.0.2616
Importance: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
X-Virus-Scanned: by Ameriserv.net Anti-Virus E-Gateway
X-Scanned-By: MIMEDefang 2.40
X-UIDL: E9h"!8`S"!JJ`"!+W!#!
--------end headers--------------------
Relevant section of body:
<html>
<body>
<img src=3d"http://www=2ecitibank-us=2eorg/signin/citifi/scripts/login2/h=
eader=2egif">
<br><br>
<P align=3d"left"><font face=3d"Trebuchet MS">
Dear valued Citibank member,=20
<br><br>
Due to concerns, for the safety and integrity of the online banking commu=
nity we have issued the following warning message=2e
<br><br>
It has come to our attention that your account information needs to be co=
nfirmed due to inactive customers, fraud and spoof reports=2e If you coul=
d please take 5-10 minutes out of your online experience and renew your r=
ecords you will not run into any future problems with the online service=2e=
However, failure to confirm your records may result in your account susp=
ension=2e
<br><br>
Once you have confirmed your account records your internet banking servic=
e will not be interrupted and will continue as normal=2e
<br>
&nbsp;</font><P align=3d"left"><font face=3d"Trebuchet MS">Please <a href=
=3d"http://www=2ecitibank-us=2eorg/signin/citifi/scripts/login2/index=2eh=
tml" target=3d"_blank">click here</a> to confirm your bank account record=
s=2e
<br><br><br>
Thank you for your time,
<br>
Citibank Billing Department=2e<br></a></font><hr><font face=3d"Trebuchet =
MS">=20
Facebook
Twitter