[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] Fw: Citibank reminder: please update your data

Subject: Re: [Full-Disclosure] Fw: Citibank reminder: please update your data
From: Frederic Charpentier <fcharpen@xxxxxxxxxxxxxxxx>
Date: Fri, 08 Oct 2004 15:47:32 +0200

About Citibank Scam :
it's an phising attack based on GDI+ JPEG overflow.

The exploit JPEG is named Ducky.jpg, and is detected by some antivirus systems as Trojan.Ducky.

The message from CityBank is not textual, but an imagemap of an image that is made to look like text. The image is called sushi.gif, and it is believed to be used in attempt to evade anti-spam systems that are based purely on textual analysis. When the recipient clicks on the link within the imagemap, they are redirected to 67.43.211.1871:87/cit/index.htm.

Upon clicking on the imagemap, the user is taken to a site to enter confidential information. The interesting part of this image entry dialog box is that it also opens a legitimate copy of the Citibank Web site under the phishing dialog to further enhance its perceived legitimacy. The Window in the foreground is malicious and posts to verify.php on 67.182.134.119, while the window in the background is the legitimate homepage of Citibank.

The result of a successful compromise is the downloading and execution of ll.exe from maybeyes.biz. ll.exe is then saved to c:\y.exe and executed. Upon execution, y.exe calls URLDownloadToFile() on http://www.maybeyes.biz/upd.exe. This file is then saved as %SYSTEMROOT%\divxencoder.exe. When executed, divxencoder.exe will parse the system for the explorer.exe process for the purpose of injecting a DLL into its memory space.

When run, the DLL contacts 65.75.185.210 on ports 9348 and 9323 to download the XML configuration file that will be used as the basis for the phishing spam.

Frederic Charpentier

Pablo wrote:

This hit me today.
The URL is:
http://%32%31%31%2E%39%37%2E%32%34%38%2E%36%30:%38%37/%63%69%74/%69%6E%64%65%78%2E%68%74%6D
( http://211.97.248.60:87/cit/confirm.htm )

----- Original Message ----- From: "CITI" <supprefnum2@xxxxxxxxxxxx> To: <paa-listas@xxxxxxxxxxxxx> Sent: Thursday, October 07, 2004 9:08 PM Subject: Citibank reminder: please update your data

in 1965 Surfing Love Stories in 1905 a When you in 1920 Vacation
Entertainment Everything please Andrea Thompson ANALYSIS NYTimes It's
impossible no doubt Nintendo Have a good time So, if we.. Coyote Ugly that's
a call for you Father's Day in 1955 Terra in 1850 X Men What area, please?
------------------------------------------------------------------------


--
_______________________________________
Frederic Charpentier - Xmco Partners
Security Consulting / Pentest
web  : http://www.xmcopartners.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Follow-Ups:
- RE: [Full-Disclosure] Fw: Citibank reminder: please update your data
  - From: DSardina

References:
- [Full-Disclosure] Fw: Citibank reminder: please update your data
  - From: Pablo

Prev by Date: [Full-Disclosure] Hacking into private files, my credit card purchases, personal correspondence or anything that is mine is trespassing and criminal.
Next by Date: [Full-Disclosure] Second Call for Papers Workshop PRIMA 2005: Privacy Respecting Incident Management
Previous by thread: RE: [Full-Disclosure] Fw: Citibank reminder: please update your data
Next by thread: RE: [Full-Disclosure] Fw: Citibank reminder: please update your data
Index(es):
- Date
- Thread