Security Sentinel: Help! Help! Somebody call the cops!

By Toni McConnel, Contributing Editor
iApplianceWeb
(08/19/03, 11:28:15 PM EDT)

Here's an e-mail message I received on Saturday, August15:

Dear Citibank customer,
We are letting you know, that you, as a Citibank checking account holder, must become acquainted with our new Terms & Conditions and agree to it.
Please, carefully read all the parts of our new Terms & Conditions and post your consent.
Otherwise, we will have to suspend your Citibank checking account.
This measure is to prevent misunderstanding between us and our valued customers.
We are sorry for any inconvinience [sic] it may cause.
Click here to access our Terms & Conditions page and not allow your Citibank checking account suspension.  [I have removed the underlying hyperlink of this sentence.]

The e-mail was in HTML format with a background that I recognized as the Citibank web page style, and at the bottom was the standard Citibank address and phone information.

There were several tip-offs that the e-mail wasn't legitimate, but I had never received anything like this before and instead of noticing all the things that didn't make sense, my first reaction was to ponder why I had received this notice, because I don't have an account at Citibank.  Since the wording seemed to imply that this might be an account that has been neglected for a while, my second reaction was to wonder if I had an account at Citibank that I had forgotten about.  These wonderings didn't take more than a few seconds to run their course, and then I noticed the clues that the e-mail was bogus:

1.      The return address was someone at Earthlink.com -- not Citibank.com.

2.      The e-mail was addressed to me at an address I have used in only one place: on a web page where it is given as a way to request a document.  I never use that address for business otherwise.  Someone had to have retrieved it from that location.

3.      The word “inconvinience” is a misspelling.  Corporate mailings are spell-checked; I don't think any real communication from Citibank would have such a gross spelling error.

The sentence “Click here to access our Terms & Conditions...” had this underlying hyperlink: http://www.citibank.com:ac98HAAA9UWDTYAZJWVWAAAA

9pYWwgc2l6ZT00PjxTVgc2l6ZT00PjxT3Aac98HAAA9UWDT

YAZJWVWAAAA9pYWwgc2l6ZT00PjxTVgc2l6ZT00PjxT@21

1.155.234.84/cgi-bin/s.pl?m=[here they inserted my e-mail address].

I was puzzled by the format of the URL.  A colon after Citibank.com instead of a backslash?  How could this possibly work?

Of course by this time I realized that the message was an attempt to lure users to a web page where it is highly likely they will be made a present of a virus, so I wasn't willing to check it out myself.

The next question I asked myself was, who would fall for this in the first place?  Someone who does have a Citibank account and who is either young and naïve or who is not at their peak of mental alertness, that's who.  Someone  who  recognizes the stationary design and reads the message and clicks before thinking it through.  You can't count on no one being fool enough to respond.

 My final thought was, if there is a web site, it's traceable.  If someone acts quickly, the culprit can be caught.

 I don't think you want to wade through the tedious details of what I went through trying to find out what law enforcement or regulatory agency I could alert to this -- quickly! -- and how.  Summary: nobody.  I ended up on the web site of the Federal Trade Commission where I filled out a form reporting the incident as fraud.  Even the venerable SANS Institute wasn't interested (SANS is the primo source of virus information) -- they sent me to the FTC site.

A form sent to the FTC?  That's like calling the police to say, “There's a burglary in progress and I can tell you where the thieves are this very minute!” and having the dispatcher tell you, “Fill out this form and we will look into it by-and-by.”  By the time the FTC form is processed the web page will no doubt be long gone.

I called Citibank and was informed that they know about the e-mail and are investigating it.  But they shouldn't have to do that.  This is a job for law enforcement.

In an earlier column I ranted about the federal government's refusal to acknowledge its obligation to protect us from attacks of this nature, being stuck in an out-dated view of what constitutes an act of war.  The government's “National Strategy to Secure Cyberspace” says, in essence, we'll help you sometimes, in limited ways, but it's up to you, folks, you're on your own, we wish you luck, everybody cooperate, OK?

Oh yeah?  What weapons do we have to fight this kind of war?  What resources?  If you know of any other than the FTC fraud complaint page, let me know and I'll post the information in a future column.  Please don't suggest virus protection publishers like Symantec.  The only way you can call Symantec is to pay a consultation fee for the call.  You can't e-mail them, either.  You can do what you do on the FTC site: fill out a form and hope somebody gets to it eventually.

Contributing editor Toni McConnel is a freelance writer specializing in technical articles.  You can see her articles at www.techrite-associates.com