A Citibank Phishing Scam Attempts to Extract Personal Information

Citibank Phishing Attack

Yet another phishing scam targeting Citibank customers was doing the rounds recently. It was discovered by a researcher going by the Twitter handle MalwareHunterTeam, and other cybersecurity sources also reported on it. MalwareHunterTeam announced on Twitter that the page has now been taken down, but examining the scam could still be beneficial, because it will give us an idea of the clever techniques that the phishers use nowadays, and it can also show us what sort of mistakes they make. There were plenty of clever features and a few mistakes in this particular campaign.

Unfortunately, we don't know who organized the attack, and we have no idea what sort of social engineering tricks they used to lure victims to the phishing page. Most likely, the scam begins with an email, but other tricks have also been used in the past. What we do know is that the phishing page used to be hosted on update-citi[.]com and that it looked quite convincing.

A phishing campaign that collects a ton of personal information

The screenshots MalwareHunterTeam shared on Twitter show that people who fell for the scam went through quite a few steps. First, of course, is the fake login page that asks the victim for the username and password to their bank account. When the login credentials are handed over, however, the malicious page doesn't stop requesting information.

The victim is asked to complete a form with their name, date of birth, physical address, and the last four digits of their Social Security Number. After that, they need to enter their banking card details into another form. Once that's done, the page tells them that it's trying to authenticate them – a process that may take up to a minute.

In reality, nobody is quite sure what's happening during that period, but the researchers speculate that while the victim is waiting to be "authenticated," the crooks are trying to use the provided login credentials to break into their account. Of course, they can't immediately compromise the accounts of customers who have enabled two-factor authentication (2FA), but that won't stop them from trying.

Citibank detects the login attempt, and the victim receives a one-time PIN (OTP) as an SMS. After a minute or so, the phishing page requests the OTP, just like Citibank would. Because they think they are logging in at the right place, the customer hands it over and is redirected to the real Citibank website. Meanwhile, the phishers have all the information they need to compromise the user's account.

The clever features

The most notable thing about this campaign is the fact that it tries to bypass Citibank's 2FA system. Two-factor authentication is often considered to be the user's only hope in a phishing scenario, but in this case, the crooks managed to negotiate around it in a pretty convincing way.

They made the phishing page look like the real deal as well. The logos and the fonts look genuine, and the layout is pretty similar to Citibank's online portal. The phishers also installed an SSL certificate on the page, which meant that browsers displayed the lock icon in the address bar. For years, the padlock has been unreliable as a sign of a website's legitimacy, but some people continue to think that it can guarantee their safety.

As you can see, the phishing crew that launched the attack decided not to stop at the login data and to ask victims for quite a few other personal and financial details. This means that even after the customer realizes that they've been scammed and secures their account, the phishers will still have enough information to perform identity theft.

It must be said, however, that this "in for a penny, in for a pound" strategy could backfire if the potential victim is more careful who they give their data to.

The mistakes

The fact that we don't know how the actual attack begins means that we don't have the entire social engineering setup. Whatever it is, however, Citibank is unlikely to ask for the personal information of existing customers, and it's even less likely to request the details of the credit cards it has issued. If you bear this in mind, you stand a better chance of realizing that something is wrong and clicking the "Close" button before it's too late.

The more observant users will also notice the grammatical and typographical errors that can be seen on almost every page. It's ironic how the crooks continue to put more and more time and effort into the technical side of their campaigns, yet, they seem unwilling to invest in a few grammar lessons. The level of written English of the average phisher is so low that typos and awkward phrases now constitute a pretty reliable indicator of a scam. They are not as reliable as the URL, though.

Indeed, every successful phishing attack is preventable with a bit more attention to the address bar. Quite a few people have already taught themselves to look for the green padlock icon, but not enough seem to pay attention to the domain itself. The phishers have a tactic called typosquatting, which involves using domains that look pretty similar to the real thing, but even this won't be enough to fool you if you're cautious.

Phishing is a simple form of cybercrime, and protecting yourself doesn't involve any particularly complex tools or techniques. In the end, being careful and taking a second to make sure that everything is alright could mean the difference between giving your data away and keeping it safe.

January 24, 2020

Cyclonis Backup Details & Terms

The Free Basic Cyclonis Backup plan gives you 2 GB of cloud storage space with full functionality! No credit card required. Need more storage space? Purchase a larger Cyclonis Backup plan today! To learn more about our policies and pricing, see Terms of Service, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Cyclonis Password Manager Details & Terms

FREE Trial: 30-Day One-Time Offer! No credit card required for Free Trial. Full functionality for the length of the Free Trial. (Full functionality after Free Trial requires subscription purchase.) To learn more about our policies and pricing, see EULA, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.