Wambooli Dispatch

Departments

Home

Blog

Books

Training

Support

Dictionary

Fun

Recently Released

September 2017

June 2017

Anatomy of a Spoof

The Bad Guys have many tricks up their sleeves in their relentless pursuit to deprive you of your money. After just receiving such a scam e-mail, I thought I'd show you how the tricks work and how many normal — and smart — folks are often duped out of thousands of dollars, simply by not knowing enough about their computer.

The Hoax Message

On February 29 I received a message, looking very much like it's from Citibank, where I have an account. Click here to see the e-mail message in another window, though the important parts are highlighted below.

From: "support@citibank.com" <support@citibank.com>

Reply-To: "support@citibank.com" <support@citibank.com>

The e-mail appears to be from Citibank. In fact, if you reply to it then your message will be sent to the support@citibank.com as shown in the e-mail header. This is often enough to "prove" to unsuspecting folk that the message is legitimately from Citibank. But the contents should raise an eyebrow to anyone concerned with privacy:

This email was sent by the Citibank server to verify your E-mail

address. You must complete this process by clicking on the link

below and entering in the small window your Citibank ATM/Debit

Card number and PIN that you use on ATM.

Never, ever should you give out your credit card number or PIN. Never. Even at the bank they won't ask for it; they instead have you input your PIN on a little handheld device.

Note that some scams aren't even this obvious; sometimes they'll ask for your mother's maiden name or your Social Security Number — neither of which should ever be given out in an e-mail message. The only time I've ever given out such information is when I initiate a call to the credit company and they ask me that information for verification. If they call me, then it's none of their business.

Of course, the scam here doesn't involve you responding to the e-mail with the information. No, because this message, like most spam, is sent from a spam relay center responding to the real address would result in a bounced message. So instead you must visit a web site. (Which is ridiculous because it nullifies the e-mail verification argument the hoax is based on.)

https://web.da-us.citibank.com/signin/citifi/scripts/email_verify.jsp

To the unsuspecting user, this looks like a legitimate Citibank web page. Even those with "a little knowledge is dangerous" will recognize that HTTPS indicates a "secure" web site. Therefore, they click away thinking that the next web page they see is from Citibank. Here's what that page looks like:

I don't need to remind you that this is not a web page from Citibank. It sure looks like it. But there was a few flashes and blinks before that page opened — which is important, and I'll explain what happened in a moment. Even so, to the unsuspecting eye, the page looks like it's Citibank. Even the "Address" bar reflects a Citibank URL. Or does it?

One more thing: Where do you input your e-mail address? Remember, that's the supposition of the message in the first place. Yet all this page apparently wants is your credit card number, expiration date, and PIN. Yet some foolish people out there fill it in and click the submit button. Dumb. Dumb. Dumb.

NOTE: I do not recommend you click a link in a scam e-mail.

Digging Deeper

One of the things I do when I get a suspected hoax or scam e-mail is to evaluate the message's source code or "view it in the raw." That way anything that may be hidden by technology is suddenly revealed to me.

In Eudora, I can click on the Blah-Blah-Blah button to see all the details in the message. In Outlook Express, you need to open the message, choose FileProperties, click the Details tab, then click the Message Source button — an ordeal. But what's revealed is the raw message source, which is often concealed because e-mail can be formatted or sent in the HTML format. The reason is obvious: the sender has something to hide.

First, the message header told me a lot:

Though the message claims to be from citibank.com (blue), the Message ID states that it came from hotmail.com (green). But that message ID has been spoofed as well.

There are three Received from headers in the message. The last one in the list was added to the e-mail header first. It states that the message was received from an IP address in Singapore. The next Received from item in the list confirms this (pink).

Indeed, the e-mail is not from Citibank. But what's scarier is the link you have to click. While it appears to be a Citibank URL it is, in fact, not. Here's how the link looks in the raw HTML code:

<A href="http://210.169.91.178/scripts/email_verify.htm"> https://web.da-us.citibank.com/signin/citifi /scripts/email_verify.jsp</A>

The text displayed looks like a Citibank URL, but the actual link is to a web page at address 210.169.91.178. When you click on that link, it takes you to that web page, which is hosted by some computer, this time in Japan.

When you visit that web page, it immediately reconfigures your web browser. This is the flashing and blinking of windows I described earlier. The real Address Bar is "hidden," which can be done using the Javascript web page programming language. In its place, a bogus Address Bar is displayed, along with the Citibank url — again fooling some people into believing that they are using a Citibank server. (But also notice that the "secure" padlock that usually appears in the window is gone, meaning that you are not on a secure web page.)

Bottom Line

Honestly, I just want to say DON'T BE FOOLISH! If you really want someone you don't know using your credit card, then give it to some hobo in your home town. Don't let some overseas crook fool you out of such vital information, not to mention the cash.

Citibank, as well as other financial institutions do not inquire about your account via e-mail. Remember one of my mantras: important stuff DOES NOT come through e-mail. Vital information is delivered via the phone or regular mail.
Just because the e-mail looks like it's from someone you know, trust, or do business with, does not mean it's really from that person. Even if you look at the e-mail source, it really takes an expert to determine whether or not the message was spoofed and where it really came from. When in doubt, send the person a message just to be sure.
Be defensive! It's better to be suspicious 100 percent of the time than a duped sucker even 1 percent of the time.