Didier Stevens

Sunday 30 November 2008

Quickpost: Citibank Phishing E-mails

Filed under: Quickpost,Spam — Didier Stevens @ 11:28

On November 23th 2008, the US Government rescued Citigroup by investing an additional $25 billion.

On November 25th 2008, I started to receive Citibank phishing e-mails in my “SPAM-trap”. At the time of writing, the spam campaign is still active and I’ve received 300+ e-mails, like this one:

20081130-105959

This can’t be a coincidence. Although the phishing e-mails don’t mention the financial problems of Citigroup, I’m sure the scammers started this phishing campaign to benefit from the uncertainty surrounding the future of Citigroup.

I want to be sure that I can get my money out if things start to go really wrong” will be the reaction of many people falling for this scam. The timing and design of this campaign reveals an understanding of the psychology of fear by these scammers. The fear of losing their money due to a Citibank bankruptcy, will blind some people for the signs of a scam. People who would be more suspicious under normal circumstances.

BTW, one particular Citibank phishing e-mail caught my eye. Its subject starts with [PHISHING] and the body starts with a Panda Antivirus warning:

20081130-113325

Pedro Bustamante from Panda security told me that this default message is added by Panda Antivirus 2008 to incoming and outgoing phishing e-mails.

This e-mail was probably send from a botnet member with an installion of Panda Antivirus 2008. As I have only the e-mail and no other info on the botnet member, I can’t analyze why the botnet software isn’t being neutralized by the AV. There can be many reasons.

Many malware uses a brute-force approach to attack AV software. One simple trick I’ve seen many times in malware assembler listings, is enumerating all services and disable those who match an “AV blacklist”. Recent AV products contains many components. It’s likely that in this case, the botnet malware neutralized the AV engine but missed the spam engine.

Anyways, this particular e-mail provided me some WTF entertainment ;-) .


Quickpost info


1 Comment »

  1. Ha! That does not make Panda look good. Thanks for the great reporting.

    Comment by Stiennon — Monday 1 December 2008 @ 23:08


RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

The Rubric Theme. Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 239 other followers

%d bloggers like this: