On November 23th 2008, the US Government rescued Citigroup by investing an additional $25 billion.
On November 25th 2008, I started to receive Citibank phishing e-mails in my “SPAM-trap”. At the time of writing, the spam campaign is still active and I’ve received 300+ e-mails, like this one:
This can’t be a coincidence. Although the phishing e-mails don’t mention the financial problems of Citigroup, I’m sure the scammers started this phishing campaign to benefit from the uncertainty surrounding the future of Citigroup.
“I want to be sure that I can get my money out if things start to go really wrong” will be the reaction of many people falling for this scam. The timing and design of this campaign reveals an understanding of the psychology of fear by these scammers. The fear of losing their money due to a Citibank bankruptcy, will blind some people for the signs of a scam. People who would be more suspicious under normal circumstances.
BTW, one particular Citibank phishing e-mail caught my eye. Its subject starts with [PHISHING] and the body starts with a Panda Antivirus warning:
Pedro Bustamante from Panda security told me that this default message is added by Panda Antivirus 2008 to incoming and outgoing phishing e-mails.
This e-mail was probably send from a botnet member with an installion of Panda Antivirus 2008. As I have only the e-mail and no other info on the botnet member, I can’t analyze why the botnet software isn’t being neutralized by the AV. There can be many reasons.
Many malware uses a brute-force approach to attack AV software. One simple trick I’ve seen many times in malware assembler listings, is enumerating all services and disable those who match an “AV blacklist”. Recent AV products contains many components. It’s likely that in this case, the botnet malware neutralized the AV engine but missed the spam engine.
Anyways, this particular e-mail provided me some WTF entertainment 😉 .
Didier Stevens 