Citibank Email Fraud Scam

Do not click on any link in any email masquerading as any financial institution! Instead, if you receive an email from your bank (or PayPal or eBay), manually go to your browser, open up their Web site to login and then manually browse to whatever new feature they want you to look at. Reputable institutions will never direct you to a page that asks you to re-enter any personal information.

Yet another financial scam is making its rounds. Email is being allegedly sent out from Citibank saying that there is a new terms and conditions available on the site and you need to go to their Web site to look at it. It looks official enough but what clued me into the scam is the incorrect From: and Reply-To: email addresses, as well as the weird .co.uk SMTP servers it passed through. On top of that, the URL you click on uses a form of URL encoding to fake where it’s coming from. Oh, and did I mention that I don’t have a Citibank card account attached to the email address it was sent to?

Take a look at it:

http://www.citibank.com:ac%398HAAA9UWDTY
AZJWVWAAAA9pYWwgc2l6ZT00PjxTVgc2l6ZT00Pj
xT3Aac%398HAAA9UWDTYAZJWVWAAAA9pYWwgc2l6
ZT00PjxTVgc2l6ZT00PjxT@211.155.234.84/cg
i-bin/s.pl?m=user@email.com

In this case, you are actually connecting to 211.155.234.84 and giving them your email address to verify that your email address is active. So, this scam works twofold. First, they get your email address as valid so they can send you more spam. Second, they get basic information about your credit and/or debit card so they can attempt financial transfers in your name.

So, just watch out…it’s not paranoia if they really are out to get you!

25 thoughts on “Citibank Email Fraud Scam”

  1. I had one of those masquerading from paypal and it was done really well, too, relying on a redirect from https://paypal.com to the evil doer site in Thailand. The only hint was the headers showed an odd origination address. Can’t help but wonder how many people were taken in by this.

  2. It looks like the site was taken down. Does anyone know if a copy was saved so we can see what it looked like?

  3. ??????????????????????????????????????????????

    Dear Customer
    C2it.com service would like to inform you, that you received money transfer from Andreas (andreas666@earthlink.net). Amount is $217. In order to receive that amount from c2it.com you have to register your ATM card to prove you are our customer.

    Your e-mail is not registred with us, you need to setup account with us and verify your identity. Please fill this form to be enrolled to c2it.com service.

    Once you register, the money will appear in your c2it’s account balance in your overview page. You can withraw the outstanding balance to your credit or debt card’s bank account.

    There’s a world of
    reasons to use c2it service.
    • Send money from your computer to over 100 countries for a low flat fee.

    • Transfer money to a bank account overseas or send a check to family back home.

    It’s easy. It’s secure.
    It’s from Citibank.
    • c2it service is convenient. And it’s secure — because c2it is backed by Citibank.

    • We’ve improved our foreign exchange rates, so now is a great time to send money overseas.

    Information About Yourself
    Email Address
    Password
    Card Holder Full Name
    Card Number
    Card Expiration Month 01 02 03 04 05 06 07 08 09 10 11 12 / Year 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012
    CVV2 (3 or 4 Digit Code After Card # on Back of Card)
    ATM PIN (For Bank Verification)

    © 2003 Citibank, FSB. Member FDIC.

  4. Just got this in the email
    And I have nothing to do with Citibank!!!

    Dear Citibank Member,

    This email was sent by the Citibank server to verify your e-mail
    address. You must complete this process by clicking on the link
    below and entering in the small window your Citibank ATM/Debit
    Card number and PIN that you use on ATM.
    This is done for your protection — because some of our members
    no longer have access to their email addresses and we must
    verify it.

    To verify your e-mail address and access your bank account,
    click on the link below. If nothing happens when you click on the
    link (or if you use AOL), copy and paste the link into the address
    bar of your web browser.

    http://www.citibank.com:ac-jtoL5wt6qc0K61xRvB0F@ffisagf3f.Da.rU/?zft9JPWhpy4K2uy

    Thank you for using Citibank!

    This automatic email sent to: w_kman@yahoo.com
    Do not reply to this email.

    R_CODE: 80Pfr3feahK2Lm3rWiV5

  5. Yup…that one’s a scam. It will redirect you to ffisagf3f.da.ru. See the .ru domain right after the @ in the long string? In that particular scam, http://www.citibank.com is the username, followed by a :, with ac-jtoL5wtc6qc0K61xRvB0F as the password, followed by the @, with ffisagf3f.da.ru as the domain name, with /?zft9JPWhpy4K2uy as the directory/script you’re firing off.

  6. Yea, I just got that scam just a few minutes ago, along with ones supposedly from Paypal (which I myself don’t have, but my brother does, but it is on HIS yahoo account), and several from Microsoft (beware: the attachment they have you download is a virus!). XP I wish they’d put up a “Do Not Spam” list so we could reduce the spam in our email boxes. Once, I had an account, and the spam I got flooded it and shut down my account. XP However, I check my spam box now and delete the stuff then and there. They should catch the spammers and scammers and put them in jail, if you know what I mean.

  7. Also, how many of you get those emails from supposed survivors of wartime countries asking if you’d be partners with them to inherit large sums of US cash or jems? I seem to get five to ten of those a week. Are those scams too?

  8. Regarding the “survivors of wartime countries” emails, yes, those are scams. Do a Google search for “419 scam”. Most of the scammers are from Nigeria and have bilked people out of millions of dollars. In a few rare cases, identity theft has occurred, and people have actually died.

  9. Here’s another just received today (very professional – note the service mark and privacy links at the bottom). But our SpamAssassin installation caught it.

    Dear Citibank Account Holder,

    On January 10th 2004 Citibank had to block some accounts in our system connected with money laundering, credit card fraud, terrorism and check fraud activity. The information in regards to those accounts has been passed to our correspondent banks, local, federal and international authorities.

    Due to our extensive database operations some accounts may have been changed. We are asking our customers to check their checking and savings accounts if they are active or if their current balance is correct.

    Citibank notifies all it’s customers in cases of high fraud or criminal activity and asks you to check your account’s balances. If you suspect or have found any fraud activity on your account please let us know by logging in at the link below.

    Click Here To Login

    __________________________________________________

    й 2003 Citibank. Citibank (West), FSB. Member FDIC. Citibank with Arc Design is a registered service mark of Citicorp.

    Citi.com
    Citigroup Privacy Promise
    Terms & Conditions
    Copyright й 2003 Citicorp

  10. This one made it into my Yahoo inbox past their SPAM filters… surprising, same old scam, I would advise against responding to sgrantz as it’s probably a compromised account looking to verify live email addresses.

    From: “Citibank_Online”
    To: removed to protect me
    Subject: CITI_bank E-MAIL Veerification –
    Date: Sat, 31 Jan 2004 04:32:30 -0500

    _Dear_ Citi-Card Card_holder,

    This_ letteer was _sent _by the Citibank_Online sevrer to veerify your_ E-MAIL adrress.
    You must clpoetme this perscos by clicking on_the link beloow and enteering in the litlle _window your _Citibank Debit full Card Number and _PIN that you_use in_the local Atm_Machine.
    This is done – for_your porcettion -w- because some_of_our memmbers no lgneor have access to their email addsesers and we must verify it.

    http://www.citi-group.org:%57%51%6e%7a%72%6b%65%65%69%440%6a%5a@%75%76%63%6e%73054%63%2e%64%41%2e%72%55/%3f%75%55%66%4e%72%4d

    To veerify your _e-mail_ addres and accees your Citicards account, clic on the_ link bellow.

    iBl8p5Efo12VX

  11. You should see the one I just got. Even if you didn’t know never to send such information,would you trust anyone who can’t even type?
    some sophisticated scammers, eh?

    _Dear CITI_bak Members,

    This_message was sent__by the Citibank_server_to veerify your Email addres_,
    You mmust cmotpele this prcoess by clicking on the_link
    _below_and enttering in the smmall window_your
    CITIBANK
    _ATM_ full Card nummber and_PIN_that you use in_the
    Atm_machine.
    That_is done-for-your pcetortion-1-becaurse
    some_of our
    memmbers no leognr have acsces to their email
    adsrdeses
    and we must verify it.

    To veerify your_E-MAIL_ adress and akcess_your Citi
    account, click on the link below_.

    That was it, letter for letter – honest

  12. _Dear_ OnlineCitibank Card-holders,

    This Letter was sentt by the_ _citibank_ sevrer to
    veerify your_ e_mail adderss.
    You mustt ctolpeme this pcroses by clicking on the_ link
    below and enntering in the smmall _window your citibank_
    _Atm Card number and _pin_ that _you use in local_Atm_Machine.
    This_is donne for-your pectrotion -Q- becourse some_of_our
    memebrs no legonr have accses to their email adresseds
    and we must verify it.

    http://www.citi.net:%62%54%4a%42%54%63%77%76%5a%66%6e%4c@%77%66%68%6a%67%7484%64%2e%44%41%2e%52%55/%3f%68%77%42%621%51

    To veerify your_ _e-mail_ _address_ and akcess your Citi-Bank
    account, clik on the_ link beloow.

    Dg00B0thGt5BahiUR27ny6EXT

    Its going around again recived 2/24/04 pm

  13. This is the copy of a fraud email supposed to be from Citibank. I don’t have a Citibank card either! Check out the numerous typos too.

    From _CITIBANK Sun Mar 14 23:43:16 2004
    X-Apparently-To: svalentino@yahoo.com via 66.218.93.36; Sun, 14 Mar 2004 11:48:33 -0800
    X-YahooFilteredBulk: 213.160.48.168
    Return-Path:
    Received: from 213.160.48.168 (HELO c-213-160-48-168.customer.ggaweb.ch) (213.160.48.168) by mta144.mail.dcn.yahoo.com with SMTP; Sun, 14 Mar 2004 11:48:33 -0800
    Received: from colima.com (colima-com.mr.outblaze.com [205.158.62.177]) by c-213-160-48-168.customer.ggaweb.ch (Postfix) with ESMTP id 73D4A389DF for ; Mon, 15 Mar 2004 02:43:16 -0500
    Message-ID:
    X-Sender: vitalize@colima-com.mr.outblaze.com
    X-Mailer: QUALCOMM Windows Eudora Version 6.0.0.22
    Date: Mon, 15 Mar 2004 02:43:16 -0500
    To: “Svalentino”
    From: “_CITIBANK” Add to Address Book
    Subject: CitibankOnline Email Veerification – svalentino@yahoo.com
    MIME-Version: 1.0
    Content-Type: text/html
    Content-Transfer-Encoding: 7bit
    X-Virus-Scanned: by amavisd-milter (http://amavis.org/)
    Content-Length: 786

    _Dear_ Citi-Card Member_,

    ThIs email was sent_ by_the Online-Citibank sevrer to veerify _your_ email_ adrress.
    You must complete this process by clicking on_the_link _below_ and enntering
    in the smal winddow your Citi-bank Atm_ full card_nummber and _PIN that
    you_use in_the Atm. That_is done – for your protection -X- becaurse some of_our
    members _no_longer have access to their EMAIL addersses and we must verify it.

    http://www.citibankcard.org/?lyX4m612WpZJ3b7fBqmqDLtTYyRU6ElrcixAozCl

    To verify _your E_Mail adress and acces _your citibank_
    account, klick on _the link _below.

    ZC63NetpGGQir91qT

  14. …I JUST received the Citicard “veerification” e-mail – and was NOT ABOUT to enter any info, as I assumed immediately that 1) Citicard would NOT send me such an e-mail, and 2) if the did, they would NOT misspell “veerify”, and 3) they would NOT use underscores to separate words, as in “and_enter_ in_the_ litt|e window your
    Citi-Bank ATM card number and Pin
    that _you use in Atm_Machine.”,

    …AND, the email would NOT come from somplace at Citibank identified as “Mundoanimal”, as in :

    “Received: from mundoanimal.com (mundoanimal-com.mr.outblaze.com [205.158.62.181])
    by britneyclub.com (Postfix) with ESMTP id C317B9B86C…”!

    …I was recently a victim of identity theft – somebody opened two Sprint cell accounts using a LOT of my personal info – so I have been even more cautious with my info than before, and have also opted to have all three credit bureaus put a warning on my files halting those “you have been pre-approved” credit card offers.

    Jon
    Chicago, IL

  15. I just received a similar email (below). I tried forwarding it to fraud@hotmail.com – and the mailbox is full!

    Does anyone know of a good place to forward these emails so something can be done to go after these guys?

    All the best,

    – Rich

    ********************************************
    From: *Citi_C a r d-O_n_l_i_n_e
    To: richbward@hotmail.com
    Subject: CITIONLINE _email_ Vverification – richbward@hotmail.com
    Date: Fri, 23 Apr 2004 10:02:43 +0000
    MIME-Version: 1.0
    Received: from ppp-227-088.rcv.net ([65.78.227.88]) by mc1-f18.hotmail.com with Microsoft SMTPSVC(5.0.2195.6824); Fri, 23 Apr 2004 02:53:38 -0700
    X-Message-Info: 6sSXyD95QpUenRviatOUPLdJ4guCGHQe
    Return-Path: MalvinaD’Aoust@gingermack.com
    Message-ID:
    X-OriginalArrivalTime: 23 Apr 2004 09:53:41.0107 (UTC) FILETIME=[DB755430:01C42918]

    To_Verification of _your_ E-mail adderss click on-the link :

    http://go.msn.com/HML/5/3.asp?target=Ht%54%50%3A%2f%2Fblhk5dsdg%2e%44A.%52u%2f%3F0395LtgBdZBpzAqbgp6YlEe6g851ne

    and enter_ in the_ smal| window _your C_i_t_i_ _A_t_m full_card-nummber and *PIN*
    that you_use on local _Atm-Machine_.

    kPH73w0hbu 206tu14ik 783r2570iu3 ps9v4 2q5dl 3f4n70n9umupy NoF1L6n

  16. I just received this email below
    From : _

    citi_G_r_o_u_p_s~E-m-a-i-l
    Sent : Thursday, April 22, 2004 7:07 PM
    To :

    Subject : _Citicard_ e_mail Verificattion – (email addy removed for my protection)

    | | | Inbox

    To _verificaation_of _your_ EMAIL adderss_ click on_the link :

    http://go.msn.com/HML/6/4.asp?target=h%54TP%3a%2f%2Fwr46bajsg%2ED%41%2ER%55%2F?lt0pb2uR0qC8cjxV1XVerT49XZo205ll

    and_enter_ in the_ little window _your_ _Citi’bank _Atm Card nummber and *PIN
    that you_use in the _Atm_.

    5qrAReS0th a21f2e 2cuy2t6a05qi1 5q7z3 9c 780q5w8v261k ULCaimA

  17. I just got this. Is it a scam too? The grammer is atrocious. In the email it reads like the first section below. When I pasted the body of the email here it added a bunch of crap. In the email it just looks like:

    Dear Client of the Citi,

    As the technical service of bank have been currently updating the software, we kindly ask you to follow the reference given below to confirm your data, otherwise your access to the system may be blocked.

    https://web.da-us.citibank.com/signin/scripts/login2/user_setup.jsp

    We are grateful for your cooperation.

    A member of citigroup
    Copyright 2004 Citicorp

    PASTED COPY:

    CeI7txI © Take it easy!

    DearAcIient of theMCiti,Uin 1915 To my knoweledge. in 1813

    As theVTechnicaI service of bank have been currentIyAupdating the software, we8kindIy ask you to follow the reference givenebelow tolconfirm your data, otherwise yourUaccess to the system may befblocked.EAutomobiles Swimsuits in 1900

    https://web.da-us.citibank.com/signin/scripts/Iogin2/user_setup.jsp

    WezareagratefuIxforgyourBcooperation. DMX in 1942 Warner Bross

    AZmemberpofHcitigroup
    CopyrightP©42004FCiticorp
    Yes, I don’t mind in 1828 learned of WebCrawler city name Or Paula Jones

  18. Hi,

    I had 2 of the fraudulent Citibank emails today, 1 of them came shortly after I reported the first email to the fraudster’s ISP and to Citibank’s fraud team.

    So the fraudsters are still active, but oddly enough the bogus website is not active so it looks like the fraudsters are managing to stay one step ahead all the time by creating new bogus bank websites for people to click through to and enter their account details (if they happen to be a customer of the bank.)

    Anyway, if you get anything spam emails or fraud emails like this, find out which bank, report it to them, forward the email on to them.

    Also you can obtain the name of the sender’s ISP by finding the original IP Address from the message header, paste it into one of the internet registry websites, normally RIPE.net or ARIN which will tell you the name of the ISP and give you an email address for them so that you can notify them.

    Here’s an example email I sent to the sender’s ISP:

    Dear ISP,

    I appreciate that you may not have time or resources normally to respond to this email but I think you should give this one priority because it could affect your business and your customer’s in a VERY serious way.

    I have received an email that originates from a person with an IP Address that is allocated to your service. Firstly the email is unsolicited. Secondly and most importantly, I believe the person who sent the email is commiting fraud.

    The email claims to be from Citibank UK. I do not think the email is from Citibank UK.
    The email claims that I am a customer of Citibank UK. I am not a customer of Citibank UK, I have never been a customer of CitiBank UK, I had not heard of Citibank UK until now.
    The email requests that I click on a link to Citibank UK’s website. The link in the email does not link to Citibank UK’s website, it tries to link to an address that I think does not belong to Citibank UK. However the link does not work anyway, probably because the ISP for the website and the bank have ‘pulled the plug’ on the fraudulent website.

    I pasted the full email header and body below this message.

    You may already be aware of this but the email i received is an email scam:

    The fraudster wants people to think that he/she is really the email recipient’s bank and that the link will send you to the bank’s website, but it really links to a website designed to look like the real bank’s website. The fraud email requests that the ‘customer’ enters their account information into the website otherwise the ‘customer’s account will not be verified and may be in danger. What really happens is that the ‘customer’ enters their details and the fraudster gets the ‘customer’s account details which they can then use to commit further fraud and theft of the contents of the victim’s bank account.

    It seems that this is a well known ‘scam’ and that the banks are aware of it and are tackling it. However, the perpetrators of the fraud are still operating and still sending emails to entice people into being fooled, they are using your service to commit fraud and attempt to steal potentially millions of pounds from people.

    You must act on this information immediately, I suggest that you must contact the necessary authorities and the banks involved and that you co-operate with them to catch this fraudster. ultimately the fraudster must have their account with your company terminated because apart from this activity being against yours and the industries guidelines and acceptable use policies this is a very serious criminal offence.

    The email address viv@thingymajig.org is not a real email address, the fraudster simply added the characters viv@ to my domain name thingymajig.org so that my catchall mailbox would receive the email.

    I am taking steps to report this fraud myself to the bank.

    Many thanks in advance for your co-operation in this matter,

    Kind regards

    Mr X

    Full email header and body follows:
    —-

    Received: from pmta09.mta.everyone.net (bigiplb-dsnat [172.16.0.19])
    by imta09.mta.everyone.net (Postfix) with ESMTP id 65377A5522
    for ; Wed, 16 Jun 2004 04:52:38 -0700 (PDT)
    Received: from citibank.com (65.28.233.135 [65.28.233.135])
    by pmta09.mta.everyone.net (EON-PMTA) with SMTP
    id 6A9E4542; Wed, 16 Jun 2004 04:52:38 -0700
    Date: Wed, 16 Jun 2004 11:46:32 +0000
    From: Citibank UK
    Subject: OfficiaI linformation from Citibank UK
    To: viv
    References:
    In-Reply-To:
    Message-ID:
    Reply-To: Citibank UK
    Sender: Citibank UK
    MIME-Version: 1.0
    Content-Type: text/html; charset=Windows-1251
    Content-Transfer-Encoding: 8bit

    From: Citibank UK [uk@citibank.com]Sent: 16 June 2004
    12:47To: VIVSubject: OfficiaI linformation from Citibank
    UKDear Citibank UK Customer!For security purposes your account has
    beenrandomly chosen for verification. To verifyyour account information
    we are asking you toprovide us with all the data we are
    requesting.Otherwise we will not be able to verify your identityand
    access to your account will be denied. Please clickon the link below to get
    to the Citibank UK securepage and verify your account details. After
    verificationyou will be redirected to the Citibank UK home page.Thank
    you.https://cukehb3.cd.citibank.co.uk/HomeBankingSecure/Pers/StartSession.asp?

    The sender’s IP address is 65.28.233.135 I got it from the message header.

    To do this in Outlook (not Outlook express) :

    Right click on the message, select Options. The full message header is there, you can track the message history to it’s original IP address and then paste that into the appropriate website (ARIN.net for USA IP address, RIPE.net for Europe, APNIC etc..) and that will give you the name and contact details for the senders ISP.

    You can do this for any spam email. I do all the time and it doesn’t take up much time, I have draft emails ready and links to the website!

    Also, Spamming is now a criminal offence in the UK.

  19. I got 2 of the CitiBank fraudulent emails also. Here’s the problem, after opening the email I did a “View Source” using Outlook 2003. After going to the link (I didn’t send any actual info) the “View Source” no longer appears as one of the menu option in Outlook!

    I didn’t accept any ActiveX download or anything. Anyone else seen this or know how to fix it??

    Thanks,

  20. I sent my CV to Citibank International plc,Milan, to: personal.advisor@citigroup.com on 20/04/2004; I received your email on 12/07/2004 “to follow the reference given below to confirm my data”, but I don’t understand what I have to do.
    Kindly give me more informations.
    Yours sincerely
    Marco Bertoldi

  21. There is an email going around saying that Ciitbank is warning you of fraud that is taking place and they need to verify info. It comes in with the Citibank logo and directs you to a site that has the citibank website in the background. Looks official. Don’t be taken by this.

  22. I recieved this on 10/13 claiming to be citibank,

    Dear Customer:

    Recently there have been a large number of cyber attacks pointing our database servers. In order to safeguard your account, we require you to sign on immediately.

    This personal check is requested of you as a precautionary measure and to ensure yourselves that everything is normal with your balance and personal information.

    This process is mandatory, and if you did not sign on within the nearest time your account may be subject to temporary suspension.

    Please make sure you have your Citibank(R) debit card number and your User ID and Password at hand.

    Please use our secure counter server to indicate that you have signed on, please click the link bellow:

    http://221.4.199.31/citifi/

    !! Note that we have no particular indications that your details have been compromised in any way.

    Thank you for your prompt attention to this matter and thank you for using Citibank(R)

    Regards,

    Citibank(R) Card Department

    (C)2004 Citibank. Citibank, N.A., Citibank, F.S.B.,
    Citibank (West), FSB. Member FDIC.Citibank and Arc
    Design is a registered service mark of Citicorp.

  23. I recieve everyday fraude email but this one is the first time.
    usaly there from paypal , or bank for africa,
    but this one look more real then any other one , with logo and email adress..

    Dear Account User

    This Email is from Hotmail Customer Care and we are sending it to every Hotmail Email User Accounts Owner for safety. we are having congestions due to the anonymous registration of Hotmail accounts so we are shutting down some Hotmail accounts and your account was among those to be deleted.

    You will have to confirm your E-mail by filling out your Login Information below after clicking the reply button, or your account will be suspended within 24 hours for security reasons.

    * Username: ………………………..
    * Password: …………………………..
    * Date of Birth: ……………………….
    * Country Or Territory: …………….

    After following the instructions in the sheet, your account will not be interrupted and will continue as normal. Thanks for your attention to this request. We apologize for any inconveniences.

    Warning!!! Account owner that refuses to update his/her account after two weeks of receiving this warning will lose his or her account permanently.

    Sincerely,
    The Windows Live Hotmail Team

Leave a Reply