Delivered-To: dfarber+@xxxxxxxxxxxxxxxxxx Date: Fri, 07 May 2004 09:30:21 +0100 From: David Price <davidp@xxxxxxxxxxxxxx> Subject: Re: [IP] Citibank Security Update/spoof To: dave@xxxxxxxxxxThese spoofing or 'phishing' emails are now so prevalent - particularly for Citibank - that what would once have been a crisis is now becoming routine. Citibank were probably the first bank to be hit in the current wave of phishing emails, sometime near the end of last year. At the time, they did warn customers - I have a Citibank account and remember getting an email from them warning of these scam emails, and seeing warnings on their web site (which I believe are still there). My company works in this area and we pick up a phishing campaign aimed at each major UK bank probably every other day (and at organisations like eBay and PayPal multiple times each day). Some attacks are incredibly sophisticated; others very weak. It seems to have become the script kiddies new favourite past-time. I remember when Barclays were hit by a major phishing attack and the BBC web site didn't just feature the story but *led* with it. No more - the occasional phishing campaign might crop up in the news here and there, but nothing more than that. They are now extremely common.
Banks *are* putting resources into this area, but it is difficult for them to tackle each and every phishing attack now that they are so common. It's not hard for anyone to buy a list of spam addresses from ebay or on IRC, set up a fake domain, create a convincing looking web site, and send out the emails. Banks can only ever be reactive to these kinds of attacks. Comsumer education is the best policy: let people know that you will never, ever, send out an email asking for their details, or to request that they 'verify' their account on a web site. There are technological solutions which aim to spot the phishing emails as soon as they occur, alert the banks, and get the web sites shut down (disclaimer: the company I work for provides one).
APACS (the bank clearing service in the UK) estimate that at least £1m has been lost from UK customer accounts in the last six months or so because of phishing. The phishing situation is yet another reason why people should never trust anything sent to them in an email - if you remember what you're told about suspicious email attachments which could harbour virusss, simply apply the same warning to emails from banks.
David -------------------------------------------------------- Dr. David Price Research Consultant Envisional Limited Tel: +44 1223 569700 email: davidp@xxxxxxxxxxxxxx web: http://www.envisional.com --------------------------------------------------------The Information contained in this e-mail message is intended only for the individuals named above. If you are not the intended recipient, you should be aware that any dissemination, distribution, forwarding or other duplication of this communication is strictly prohibited. The views expressed in this e-mail are those of the individual author and not necessarily those of Envisional Limited. Prior to taking any action based upon this e-mail message you should seek appropriate confirmation of its authenticity. If you have received this e-mail in error, please notify the sender immediately.
Dave Farber wrote:
Delivered-To: dfarber+@xxxxxxxxxxxxxxxxxx Date: Thu, 06 May 2004 14:33:47 -0700 From: Dewayne Hendricks <dewayne@xxxxxxxxxxxxx> Subject: [Dewayne-Net] Citibank Security Update/spoof Sender: dewayne-net@xxxxxxxxxxxxx To: Dewayne-Net Technology List <dewayne-net@xxxxxxxxxxxxx> [Note: This item comes from reader Sally Richards. DLH]From: "Sally Richards" <Sally@xxxxxxxxxxxxxxxxx> Date: May 6, 2004 2:03:50 PM PDT To: dewayne@xxxxxxxxxxxxx Subject: Citibank Security Update/spoof Reply-To: Sally@xxxxxxxxxxxxxxxxx Hi Dewayne: Just wanted to forward this to you. I am a Citibank customer, and I received three of these in one day, which is rare because I just don't get spam, especially from my bank (they send loads of it in the post, and sell my phone number to their affiliates instead). I called Citibank and they said it was a hoax, I asked them why they hadn't sent out a notice to their customers saying that someone had done a spoof. They guy basically told me not to worry about it. I called up a reporter here in the San Diego area named John Mattes who said their emails were flooded with the same email - Citibank and non-Citibank customers. He said he called up the Citibank fraud department and they said that they were aware of it, but basically didn't feel like they had to deal with it. He said it had been going out for weeks. As a Citibank customer, who is now looking for another bank because of this spoofing issue and Citybank's lackadaisical response, I thought it might be of interest to your readers. Just in case it didn't show up, there was a "real" Citibank ad at the top of the email. It looks like the link is dead today, but it was working a few days ago and it would be interesting to know if there was any actual transferring of funds through this fraudulent spoof. Cheers, Sally ---------- Forwarded Message ----------- Citibank Dear Valued Customer, - Our new security system will help you to avoid frequently fraud transactions and to keep your investments in safety. - Due to technical update we recommend you to reactivate your account. Click on the link below to login and begin using your updated Citibank account. To log into your account, please visit the online banking http://web.da-us.citibank.com&BVP=/cgi-bin/citifi/scripts/ &M=S&US&_u=visitor If you have questions about your online statement, please send us a Bank Mail or call us at 1-800-374-9700 We appreciate your business. It's truly our pleasure to serve you. Citibank Customer Care This email is for notification only. To contact us, please log into your account and send a Bank Mail. ------- End of Forwarded Message ------- Sally@xxxxxxxxxxxxxxxxx ? 760.788.0575 ? www.SallyllyRichards.com http://www.bayarea.com/mld/bayarea/business/3982679.htm Destiny is no matter of chance. It is a matter of choice. It is not a thing to be waited for, it is a thing to be achieved. - William Jennings Bryan (1860 - 1925)Archives at: <http://Wireless.Com/Dewayne-Net> Weblog at: <http://weblog.warpspeed.com> ------------------------------------- You are subscribed as davidp@xxxxxxxxxxxxxx To manage your subscription, go to http://v2.listbox.com/member/?listname=ip Archives at: http://www.interesting-people.org/archives/interesting-people/
------------------------------------- You are subscribed as roessler@xxxxxxxxxxxxxxxxxx To manage your subscription, go to http://v2.listbox.com/member/?listname=ip Archives at: http://www.interesting-people.org/archives/interesting-people/