Fourmilog: None Dare Call It Reason

« Physics: Relativity in Six Minutes | Main | From 1940: Workforce migration from the service sector to manufacturing »

Monday, April 7, 2008

Lamest phish in the pond

Some “phishing” messages (junk E-mail scams attempting to steal recipients' identity by posing as messages from financial and other institutions with which an individual may have an account) are devilishly clever and may slip past even reasonably cautious and knowledgeable Internet users. Then there are those like the following, which came to hand today. (I have re-wrapped some of the header lines to avoid truncation and redacted information relating to Fourmilab's internal network structure.)

From alerts@citibank.com Mon Apr  7 15:53:31 2008
Received: from (REDACTED.fourmilab.ch
        (REDACTED.fourmilab.ch [193.8.230.REDACTED])
	by REDACTED.fourmilab.ch (8.13.6.20060614/8.13.6)
        with ESMTP id m37DpLsL013651
	for <REDACTED@REDACTED.fourmilab.ch>; Mon, 7 Apr 2008 15:53:31 +0200
Received: from exch5.aclu.org (smtp03.aclu.org [65.198.126.244])
	by REDACTED.fourmilab.ch (8.13.6.20060614/8.13.6)
        with ESMTP id m37Dngmt028960
	for <REDACTED@fourmilab.ch>;
        Mon, 7 Apr 2008 15:51:19 +0200
Received: from NYEXFE02.aclu.org ([10.1.1.246]) by
         exch5.aclu.org with Microsoft SMTPSVC(6.0.3790.1830);
	 Mon, 7 Apr 2008 09:21:37 -0400
Received: from User ([85.120.78.130]) by NYEXFE02.aclu.org
         with Microsoft SMTPSVC(6.0.3790.3959);
	 Mon, 7 Apr 2008 09:21:36 -0400
From: "Citibank.com"<alerts@citibank.com>
Subject: To many wrong attemps
Date: Mon, 7 Apr 2008 16:23:34 +0300
MIME-Version: 1.0
Content-Type: text/plain;
	charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 1
X-MSMail-Priority: High
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Bcc:
Message-ID: <NYEXFE02md1UtYj7XGe000012db@NYEXFE02.aclu.org>
X-OriginalArrivalTime: 07 Apr 2008 13:21:37.0306 (UTC) 
        FILETIME=[4EC2F7A0:01C898B2]

Because you have to many wrong attemps on your Citibank online banking,
we had to put your account on hold.

Account Status: Blocked

We ask you to complete as soon as possible our security steps 
which will reactivate your online banking.
To do this please follow the link bellow :


http://www.citibank-autentification-message.com/


After this steps are complete you will be contacted by phone
in 3 days by a citibank representative.

Now, of course, in junk mail you can't assume that anything in the headers which wasn't put there by your own servers has not been forged. The originating IP address (assuming it is not bogus) belongs to an IP block in Romania. I shall be charitable and assume that the intermediate routing via the American Civil Liberties Union was forged, and that their definition of “civil liberties” does not extend to criminal fraud committed in the interest of identity theft. (A cursory test of one of their mail servers with the mail relay test page at abuse.net shows it as secure against external relays.)

I would usually black out the deliciously-misspelled scam site to which the message attempts to direct the recipient, but as the domain had already been pulled by the time I received the message, I'm leaving it in for your amusement. Ain't it great, living in a slum?

Posted at April 7, 2008 19:29