Dear Customer, This email was sent by the Citibank server to verify your E-mail address. You must complete this process by clicking on the link below and entering in the small window your Citibank Debit Card number and PIN that you use on ATM.
This is done for your protection - because some of our members no longer have access to their email addresses and we must verify it.
To verify your E-mail address and access your bank account, click on the link below:
https://wwww.citibank.com/signin/confirmation.jsp
Clicking on the link would take you to http://219.148.127.66/scripts/confirmation.htm and as VisualRoute shows the server is in Beijing, China
As SmartWhois indicates: the owner is CHINANET hebei province network, China Telecom, No.31,jingrong street, Beijing 100032; the administrative contact is Chinanet Hostmaster, No.31,jingrong street, beijing, 100032, and the technical contact is Bin Ren, renbin@mail.he.cn, 10F Ximei Building NO.6 Jianshe South Street, Shijiazhuang 050011 China.
I emailed all three of those contacts on July 3, providing them a link to this article:
Someone sent out an Identity Theft message which involved your service. I don't know which of you may be aware of these efforts, or actually participating in them, and which of you may not be aware, and if so may want to try to put a stop to them, but if you are interested see http://tcs.org/ioport/aug04/identitytheft.htm If you identify the thief, please let me know.
Obviously I did not receive any response to my message, but a very curious thing happened: I did not many more Identity Theft messages the entire month. It would be naive of me to think that my message made them go straight, but it might have at least caused them to pull back for a short term to try to see if they could figure out how to avoid so many direct clues leading to them. I thought maybe they just took my email address out of their list to be hit, but a couple of weeks later I received eight copies in a very short period of time so I guess they figured things were safe to expand their effort to steal people's banking information.
On July 27 I received another of these messages, but this time clicking on the link would take you to http://222.223.128.32/confirm/, however that server is still in China.
I am pleased to report that this message was caught by the new Cox Spam Blocker software and identified as spam, but that does not account for the drop-off in Identity Theft messages, because I still scan messages flagged either by Cox or SpamInspector or both looking for Identity Theft messages.
Clicking on the link would take me to http://www1-paypal.com/us/cgi-bin/. Note that Paypal's real domain name is paypal.com, and www.paypal.com would also work for their website, but this is not www.paypal.com but www1-paypal.com.
Going there redirects you to http://privacyhosting.org/www.paypal.com/us/cgi-bin/login.html
www1-paypal.com is in Bulgaria:
and it is not clear where privacyhosting.org is:
The privacyhosting.org domain name was registered on July 6, and www1-paypal.com was registered on July 13.
As SmartWhois indicates: the administrative contact for www-paypal.com is Rumen Sarandev, EVRO Network, 16, 23th September, Plodviv 4015, Bulgaria, lir@evro.net, and the contact information for privacyhosting.org is Dotster.com, 11807 NE 99th Street, Suite 1100 Vancouver, WA, 98682, United States, and the technical contact is InterNap Network Operations Center, +1-206-256-9500, noc@internap.com
As in the Citibank case, I emailed this report to both contacts. The Bulgarian never got it because I got back: Recipient: <lir@evro.net> Reason: sorry, your envelope sender is in my badmailfrom list (#5.7.1). I had never sent him email before, so obviously he only receives mail from selected people. I sent a copy to the technical contact balabana2001@yahoo.com.
Dear Citibank Customer, We recently noticed one or more attempts to log in to your Citibank account from a foreign IP address and we have reasons to believe that there was attempts to compromise it with brute forcing your PIN number. No successful login was detected and you have full protection by now. If you recently accessed your account while travelling, the unusual login attempts may have been initiated by you. The login attempt was made from: IP address: 193.07.187.24 ISP Host: cache-86.proxyserver.cis.com
By now, we used many techniques to verify the accuracy of the information our users provide us when they register on the Site. However, because user verification on the Internet is difficult, Citibank cannot and does not confirm each user's purported identity. Thus, we have established an offline verification system to help you evaluate with whom you are dealing with. The system is called CitiSafe and it's the most secure Citibank wallet so far.
If you are the rightful holder of the account, click the link bellow, fill the form and then submit as we will verify your identity and register you to CitiSafe free of charge. This way you are fully protected from fraudulent activity on all the accounts that you have with us.
Click to protect yourself from fraudulent activity!
To make Citibank.com the most secure site, every user will be registered to CitiSafe.
NOTE! If you choose to ignore our request, you leave us no choice but to temporally suspend your account. * Please do not respond to this e-mail, as your reply will not be received.
Regards, Citibank Customer Support
Clicking on the link would go to http://219.148.127.67/scripts/confirmation.htm
The web page APPEARS TO BE https://web.da-us.citibank.com/signin/citifi/scripts/confirmation.jsp
but notice that when going to that URL on the real Citibank server that page is not found, and in the above page there is NOT the little yellow padlock that shows up when you are really on a secure (https) page, like the one below shows.
The way they got that fake URL to appear is with the following html code:
<TD style="BACKGROUND-POSITION: left 50%; BACKGROUND-IMAGE: url(ress.gif); BACKGROUND-REPEAT: no-repeat" align=left width="81%" height=22>
IP address 219.148.127.67 is in China
The 193.07.187.24 IP address they said was probing the server is in Germany, but it is ATeO-Service, not cache-86.proxyserver.cis.com as they said
SmartWhois indicates for IP Address 219.148.127.67 the same host master and technical contact as in the first entry for this month, so I don't think I will bother emailing them again.
Clicking on the link would take you to http://69.73.175.16/~janina/
As VisualRoute shows 69.73.175.16 is in Texas.
The http://69.73.175.16/~janina/ website looks like:
Note they tried to wipe out the true URL with the fake https://www.usbank.com/MaintenancePage but because I had rearranged the location of the Address bar on my browser, they missed it.
As SmartWhois indicates, the server is owned by Jaguar Technologies LLC in Houston, and the technical contact is Greg Landis admin@jaguarpc.net and they have an abuse address abuse@jaguarpc.com. I emailed both of them letting them know what is going on. I also updateed my report to the FBI. Since this server is in the US, hopefully they will pay a visit to Jaguar Technologies.
Greg Landis responded promptly, saying: "Thank you for contacting us, We have removed the site and taken further appropraite actions"
I asked him if he had contacted the police, and reminded him I had notified the FBI, and he replied:
"We are already in contact with the FBI on the issue. With a large customer base also comes a larger risk of issues like these. While we continue to improve our systems and try to take steps to prevent such things they are and may always be problems. We are not strangers to these types of issues and handle each one with the same level of alarm. These types of issues cost us money in chargebacks, lost revenue, manpower, system resources, upstream provider problems, and more.
Thank you for your concern and responses."
After their account at Jaguar Technologies was closed the Identity Thieves apparently moved on to Everyones Internet in Houston because on July 24 I got the same message, this time clicking would take me to http://67.15.12.53/~inosenc/ssl/. As VisualRoute shows the server is in Houston Texas.
and as SmartWhois indicates: the technical contacts are Randy Williams (admin@ev1.net) and Valarie Stinson (admin2@ev1.net) and the abuse account is abuse@ev1.net. I am contacting them, and we will see if they are as quick to shut them down as Jaguar Technologies was, and if they will work with the Houston Police and the FBI (that Jaguar Technologies said was working on the case) to apprehend the Identity Thieves. If they will report results to me, I will add them to this report (which I am also forwarding to the FBI).
I did get a response from abuse@ev1servers.net saying
We feel that the user in question in this violation has successfully removed the material in question regarding the abuse complaint and have closed the case in our records, as of 7/24/04 9:48:24 PM.
I responded
I am happy that they removed the site, but are they in jail? What they did was attempt Identity Theft, and if you just made them remove their site, they will be reinstalling it on some other ISP or even on your service under a different account. Did you work with the local police and the FBI to see they don't do it again?
Clicking on the link would take you to http://www.usbnk-update.info/secure/. The domain usbnk-update.info was registered on July 19 (I received the emails on July 20).
When I checked, the server did not seem to be up yet, so I can't tell where it is, but SmartWhois indicates it will be IP address 220.164.144.154 (and they also confirm Host unreachable), but it is an IP address controlled by our old friends CHINANET yunnan province network in Beijing.
On July 29 I received another with this same email, this time clicking on the link would go to http://221.139.2.74/test1/images/cgi/ which is in Seoul, Korea, in a server owned by Hanaro Telecom Inc, just like the next item.
Clicking on the link would take you to http://218.51.248.96/us2/index.php. As VisualRoute shows the site is in Seoul, Korea.
As SmartWhois indicates: the server is owned by Hanaro Telecom Inc, and the IP Administrator is ip-adm@hanaro.com. They are getting their feed from AboveNet Communications in San Jose, CA, whose email is dns@ABOVE.NET, and since it will be a lot easier for the FBI to hit them rather than San Jose, I am notifying AboveNet one of their downstream customers is involved in Identity Theft.
Dear U.S Bank client,
We recently reviewed your account, and suspect that your U.S Bank account may have been accessed by an unauthorized third party.Protecting the security of your account and of the U.S Bank network is our primary concern.Therefore, as a preventative measure, we have temporarily limited access to sensitive U.S Bank account features.Click the link below in order to regain access to your account:
https://www4.usbank.com/internetBanking/RequestRouter?requestCmdId=DisplayLoginPage
For more information about account protection , please visit U.S Bank Security Center. We apologize for any inconvenience this may cause, and appreciate your assistance in helping us maintain the integrity of the entire U.S Bank system. Thank you for your prompt attention to this matter.
Sincerely,
The U.S BANK Security Department Team.
Please do not reply to this address , your reply will not be received .
Clicking on the link would actually take you to http://www.usbanksecure.info/internetBanking/RequestRouter/DisplayLoginPage/. The usbanksecure.info domain was registered on June 24 (I received the email on July 30), so this is one of the oldest Identity Theft domains I have seen used. It must either be working very well for them, or they are very slow thieves.
As VisualRoute shows the server is in Spain.
As SmartWhois indicates the Admin and technical contact is ripe@arsys.es.
For more information on the Tulsa Computer Society click here