Email title: 'RESERVE', or 'NOTE! Citibank account suspend in process'
Scam target: Citibank customers
Email format: HTML e-mail
Sender: support @ citibank.com
Sender spoofed? Yes
Scam call to action: 'Recently there have been a large number of cyber attacks pointing our database servers. In order to safeguard your account, we require you to sign on immediately... This personal check is requested of you as a precautionary measure...Please use our secure counter server to indicate that you have signed on, please click the link bellow...'
Scam goal: Getting victim's citibank.com username/password, credit card information
Call to action format: URL link
Visible link: h++p://22.214.171.124/citifi/, or 126.96.36.199/citifi/
Called link : h++p://188.8.131.52/citifi/, or 184.108.40.206/citifi/
Phish website hosted on : 220.127.116.11, 18.104.22.168. Probably on other hosts, too
This attack is being spreaded really widely. It follows an attack using the same technique - a new one to phishing, which allows for a very dangerous scam. This time though, significant phish clues are left 'uncovered'. First, the e-mail:
See sample image in Anti-Phishing.org
As you see, the e-mail does not bear any Citi corporate signs. And though the sender is spoofed, the link is unmasked and it is highly suspicious.
New trojan is adware killer
But there's a downside as well.
A new Trojan horse program that attacks and removes adware, is circulating on the Internet, according to anti-virus company Symantec.
The program, called Downloader.Lunii, was discovered on Monday. When run, it attempts to kill off computer processes and delete files used by common adware programs like Powerscan and BargainBuddy. However, Lunii is not entirely benevolent. Like other Trojan horses, it also modifies the configuration of Microsoft Windows machines and attempts to download files from a remote location, Symantec warned.
Lunii works by halting Windows processes that adware programs use to communicate and by removing known adware programs from systems it infects. The Trojan program also modifies a Windows file called the "hosts" file, inserting its own list of bogus Web sites, which may block access to certain Web pages, Symantec said.
Lunii was rated a low threat by Symantec, which has released an anti-virus signature to detect the Trojan on Monday.