How to Spot Citibank E-Mail Scams

Jan.22 -- In December, we heard about a new vulnerability that masks the actual (spoofed) URL, or Uniform Resource Locator — the "address" pf places and items on the Net that are displayed in Web browsing software. And it didn't take long before the technique was used by an attacker. Last week's Citibank spoof e-mail appears to use a similar vulnerability.

Like many phishing messages, the basic e-mail looks relatively authentic, with logos and images that are linked from the real Citibank site. The message asks the reader to click on the button to check their accounts and report any suspicious or fraudulent account activity. If you click on the button, you are brought to an authentic looking Web page where you're asked to log on. If you do, they've got you.

While this site was only up for a day or so before it was shutdown, it may have netted some victims because of the masked address.

When you got to the logon page, it displayed only "www.citibank.com" in the address line, though the full address (shown in DOS text) was really:

"http://www.citibank.com@211.239.150.170/login/login.htm"

Between the ".com" and the "@" sign were several characters. When we looked at the text of the address, it was different than last week's "%01%00@" character sequence, which truncated the URL so only the spoofed address was shown .

Related Stories

Man kills wife, 3 kids in mass shooting: Police

• Apr 23, 12:35 PM

Secret Service prepares for Trump in contempt

• Apr 23, 4:16 PM

OJ Simpson dies at 76

• Apr 11, 6:32 PM

Windows displayed the URL with a little box character in it, but when we viewed the URL in a command line (DOS) hex editor, we saw the sequence 26h 23h 31h 3Bh. These were the ASCII values of "". This different sequence of characters had the same effect as the %01%00 characters discovered previously — all text to the right of it is not displayed in the browser window.

Signs of a Scam

So, if an e-mail message sounds plausible and the site looks OK, how do tell if it's authentic or not?

To start, the e-mail message was from "citibank32571@mindspring.com". Citibank uses citibank.com on all of its internal email accounts, not mindspring.com. However, some e-mail viewers may not show the whole e-mail address, only the common name (in Outlook you'll see "Citibank [citibank32571@mindspring.com]"), so it is possible to miss that clue.