Fraud

[KGP]

LOL. Check out the e-mail I received today. You'd think that the fraudsters could at least spell.

Dear Citicard _Member_,

_This letteer was sent_ by_the_ Citbiank server to
veerify your_ e-mail adrress.
You muust cmptloee this pcseors by clicking on the link
beloow and enteering in the smal winddow your Citibank
Atm/Debit Card number and _PIN_ that you use_ on Atm_machine.
This_is donne for your potcertion -J- becaurse some_of our
_members_ no logenr have accses to their email adesdress
and we must verify it.

Honestly, I didn't edit it!

 

[lemansnsx]

Honestly, I didn't edit it!

Golly, I wish you had - that's just pathetic! The shame of it is that somewhere there is some idiot responding to it...

 

[coolnsx]

I also got the same from Citibank about a week ago. The spelling was just awful.

 

[Soichiro]

>>I also got the same from Citibank about a week ago.

I doubt that. You probably got the same from anywhere BUT Citibank.

 

[KGP]

What is puzzling to me is that the URL domain they ask you to click on is citibankcards.org (verified by menu bar). A whois check of that domain shows that it's an available domain. I thought that the domain would have to be active, even for a re-direct, to get the person to where they wanted them to go.

 

[lemansnsx]

What is puzzling to me is that the URL domain they ask you to click on is citibankcards.org (verified by menu bar). A whois check of that domain shows that it's an available domain. I thought that the domain would have to be active, even for a re-direct, to get the person to where they wanted them to go.

You're using Internet Explorer, right? A bug in IE means that the url displayed on the location bar can be "spoofed". Look at the raw e-mail and you will probably see that the url is something like ([email protected]) and you will also see that the form you are being asked to fill in gets directed to some free e-mail service somewhere.

 

[jlindy]

unbeeleevibale, whear r thea comeen up wif dis crap.

 

[KGP]

If they could only spell...

Now if I click on the link the url re-directs me to citibanks actual website, but also a pop-up box comes up, and nothing in the pop-up source code would lead anyone to believe that it's not actually CitiBank. They even spoof the pop-up URL code to http://www.citibank.com_xxxx.html. Hard to see in the pic, but the pop-up asks for debit card number and PIN. Scarry if they could spell!

 

[4AU4LIFE]

I am constantly getting emails from someone claiming to be with Paypal saying I need to update my records. Asking for credit cards #'s and PINS.
I just forward them to Paypal.

 

[Jonathan]

I love the recent trend of spelling everything wrong to get through filters. Who in the hell is logging in to buy things from these people actually trying to sell stuff using the typo/filter method?

Does this sound like someone you should buy something from?

Ur neeedign biigg enh@ncennmnet!!! Roderr 4rom us nowow and g3t dsciount n3rrly as b|g as th3 r3sutltls!!!

People that read crap like that and jump right on board, deserve a good lesson IMO.

 

[NSX/MR2]

If one was to report this activity to Citibank, will they do something about it (got their name involved?)

 

[KGP]

Citibank already knows about it. It is listed on their website (although not front and center). Not much they can do except try to hunt the dudes down (prob in Russia or something) and hope that not many card holders get duped, because Citibank will have to eat the tab. That's why aquiring banks get something called a discount rate - the risks involved.

 

[coolnsx]

I'll let you know, I notified Citibank by mail and asked for a response. I'll post any news.

 

[lemansnsx]

If one was to report this activity to Citibank, will they do something about it (got their name involved?)

The quickest results in these matters come from contacting the owner of the domain that they are using and the owner of the e-mail service that is collecting the responses.
Here is an example of one that I received which purports to be from Ebay asking me to update my account info. It looks totally legitimate but if we look at the source it becomes obvious that it is not:

From - Wed Oct 01 12:57:42 2003
X-UIDL: 20031001165247s12001o27je0000hp
X-Mozilla-Status: 1001
X-Mozilla-Status2: 00000000
Received: from yourwebsite.com (cdma-3g1x-176-191.zappmobile.ro[80.97.176.191](untrusted sender))
by sccrmxc12.myisp.net (sccrmxc12) with SMTP
id <20031001165233s12009ck23e>; Wed, 1 Oct 2003 16:52:34 +0000
Received: from unknown [80.97.186.66]by 172.31.5.10; 01 Oct 2003 19:44:52 +0300
Reply-To: [email protected]
From: [email protected]
To: [email protected]
Subject: Update Your Account Infos at eBay
Sender: [email protected]
Mime-Version: 1.0
Content-Type: text/html; charset="iso-8859-1"
Date: Wed, 1 Oct 2003 19:52:35 +0300

I highlighted the important bits of that in red. First question: what's Ebay doing using a server in Romania to contact me? Second question: who owns 80.97.186.66? Doing a "whois" lookup through any number of online sites tells us that 80.97.186.66 belongs to a company called Telemobil S.A. in Romania and provides their admin e-mail address. A copy of the e-mail including all headers goes off to that address with a demand that the account be shut down and a note that the information has been provided to the appropriate Federal authorities here. It hasn't but they don't need to know that.
Further down the source of the e-mail we find:
type=hidden [email protected] name=svc
This indicates that they are using javascript to send the results of the form you fill in to an e-mail address that almost looks official except for the fact that it has nothing to do with Ebay. Ok, who is "priorityzero.com"? Well, another quick search reveals that priorityzero.com is a free e-mail service located in San Jose, CA so their admin gets a nastygram with a demand that the account be terminated along with a copy of the e-mail.
Pretty simple really and only takes a minute or so.

 

[LeftLane]

Scarry if they could spell!

The pot calling the kettle....

 

[GQ NSX]

Dear PayPal member,

We regret to inform you that your account is about to be expired in next five business days. To avoid suspension of your account you have to reactivate it by providing us with your personal information.

To update your personal profile and continue using PayPal services you have to run the attached application to this email. Just run it and follow the instructions.

IMPORTANT! If you ignore this alert, your account will be suspended in next five business days and you will not be able to use PayPal anymore.

Thank you for using PayPal.


mcomzcqz

 

[PoohBEAR]

Gents,
Just to let you know that these mispelled emails are on PURPOSE and NOT a mistake. This is a technique to to pass through email filtering--these people are NOT stupid. To be able to slides pass filters, you need to have spelling mistakes, false return addresses, faked headers (possible) and the list goes on.