One I haven't seen yet....

[Tiger Shark]

... But I don't get any of these.....

This was sent to my CEO via email.

Code:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<MAP 
name=FPMap0><AREA shape=RECT coords=0,0,567,270 
  href="http://%32%31%31%2E%39%37%2E%32%34%38%2E%36%30:%38%37/%63%7A/%69%6E%64%65%78%2E%68%74%6D"></MAP>
<META content="MSHTML 6.00.2800.1458" name=GENERATOR></HEAD>
<BODY>
<DIV><FONT face=Tahoma size=2><SPAN class=972050716-27092004>I believe this is 
one of your scams!</SPAN></FONT><FONT face=Tahoma size=2>-----Original 
Message-----<BR><B>From:</B> CITIZENS BANK 
[mailto:identdep_op730110@citizensbank.com]<BR><B>Sent:</B> Monday, September 
27, 2004 2:00 AM<BR><B>To:</B> CEOs Name Here<BR><B>Subject:</B> URGENT 
SECURITY NOTIFICATION<BR><BR></FONT></DIV>
<P><FONT face=Arial><A 
href="http://www.citizensbank.com/customerservice/cust_serv_gtway.asp"><IMG 
src="cid:part1.03030709.05070303@identdep_op55094187461725@citizensbank.com" 
useMap=#FPMap0 border=0></A></A></FONT></P>
<P><FONT color=#fffff7>it's beautiful engine Fun into account But we do have in 
1899 of WEATHER in 1903 It's a pleasure Outlaw Star Attila the Hun Dale 
Earnhardt Destiny's Child Metasearch Groundhog Day Dogs in 1965 Easter Dale 
Earnhardt The X-Men Newspapers Good. in 1922 in 1821 Mariah Carey 
</FONT></P></BODY></HTML>

What I found interesting is that the whole email is the href, (it's a mapped picture), so the apparent href appears to be valid but the real href you are sent to is encoded in line 4....

It would catch the semi-literate..... I had to look at it twice.... :o

[nebulus200]

Was lazy and found a cute little site that unfortunately requires IE, but nonetheless:

http://code.cside.com/3rdpage/us/url/converter.html

Put the unicode URL in there at the bottom and click the convert button and whalla:

211.97.248.60:87/cz/index.htm

Dunno...thought it was an interesting site...of course I amuse easily...

EDIT: By the way, nice catch, I had to look at it a couple of times myself

[Tiger Shark]

Neb: LOL.... I was about as lazy.... I googled Citizens Bank..... cos it should be an easy find. Fired up ethereal and clicked googles link then clicked on the email... voila....

Good link though.....

[MrLinus]

So Tiger, is this a phishy or just a spam blocker by-pass? (if phishy, might want to submit to http://www.antiphishing.org )

[Tiger Shark]

It's a phishy...... If you follow the link it takes you nicely to the customer service page of Citizens Bank with a popup over the top left asking for your details. Interestingly enough if you try to close the popup without filling anything in it won't go away. You have to close the spawning page, (the "pull" from citizens), with taskmanager first and then use taskmanager to kill the popup.

It's on it's way to antiphishing.org as I type.

[str34m3r]

We get quite a few of these at work. It's entertaining to play with these emails to see how far the rabbit hole really goes. Some of them are simple phishing scams, but they're not much fun. The best ones are the ones that are still trying (and succeeding in rare cases) to exploit the most recent IE/CHM vulnerability when they're clicked. One of them downloaded and installed a mostly benign spyware/adware executable that changed the home page. The neat trick (or at least I thought so) was when on this new homepage, they basically admitted that they'd installed spyware/adware on your PC and offered you an uninstall link to assist you in removing it. Of course this uninstall link was an executable (note the social enginerring) and turned out to be a nasty trojan (I can't remember which one offhand).

[OverdueSpy]

<EDIT> Sorry guys this was supposed to be "CitiFinancial" not CitiBank.

I received one of these from CitiFinancial this morning. I checked the CitiFinancial.com website and it was down. Coincidence?