In December, we heard about a new vulnerability that masks the actual (spoofed) URL, or Uniform Resource Locator — the "address" pf places and items on the Net that are displayed in Web browsing software. And it didn't take long before the technique was used by an attacker. Last week's Citibank spoof e-mail appears to use a similar vulnerability.
Like many phishing messages, the basic e-mail looks relatively authentic, with logos and images that are linked from the real Citibank site. The message asks the reader to click on the button to check their accounts and report any suspicious or fraudulent account activity. If you click on the button, you are brought to an authentic looking Web page where you're asked to log on. If you do, they've got you.
While this site was only up for a day or so before it was shutdown, it may have netted some victims because of the masked address.
When you got to the logon page, it displayed only "www.citibank.com" in the address line, though the full address (shown in DOS text) was really:
Between the ".com" and the "@" sign were several characters. When we looked at the text of the address, it was different than last week's "%01%00@" character sequence, which truncated the URL so only the spoofed address was shown .
Windows displayed the URL with a little box character in it, but when we viewed the URL in a command line (DOS) hex editor, we saw the sequence 26h 23h 31h 3Bh. These were the ASCII values of "". This different sequence of characters had the same effect as the %01%00 characters discovered previously — all text to the right of it is not displayed in the browser window.
Signs of a Scam
So, if an e-mail message sounds plausible and the site looks OK, how do tell if it's authentic or not?
To start, the e-mail message was from "email@example.com". Citibank uses citibank.com on all of its internal email accounts, not mindspring.com. However, some e-mail viewers may not show the whole e-mail address, only the common name (in Outlook you'll see "Citibank [firstname.lastname@example.org]"), so it is possible to miss that clue.
If you go to the Web site in the e-mail, the page looked pretty authentic. But if you watch the status tray while the page is loading, you'll notice the true URL flash by for a second. You have to watch carefully, but it can be seen.
Next if you look in the lower right corner, the fake Citibank site has no Lock, while the real one does. This shows that the authentic site has a valid certificate. You can click on the lock and see who issued it. Citibank got theirs from VeriSign. The bogus site has none.
The last clue is in the address bar itself. The bogus site only shows www.citibank.com, cutting off the full (fake) URL. If you look at the real site, it shows a very different URL:
That is easy to spot, since it is pretty rare that a Web site doesn't at least show the /index.htm page.
While the Citibank spoof site is now gone, there'll be others to take its place. But if you know how to identify a bogus site or e-mail, you won't become another identity theft victim.