This virus laughs all the way to the bank
HTML_CITIFRAUD.A is a non-destructive HTML virus that exploits an Internet Explorer
(IE) vulnerability enabling a malicious user to spoof a website to obtain Citibank
ATM/Debit card and PIN numbers, of target users. To steal critical information
it redirects affected users to a website that appears to be identical to the
authentic Citibank website. It prompts target users to enter their ATM card
number and PIN. It runs on systems supporting the Internet Explorer environment,
and is currently spreading in the wild.
The malware is embedded in a spammed e-mail that poses as an urgent notification
from Citibank. The e-mail sent by a remote malicious user to target recipients
contains the following:
To: <target recipient>
Subject: Important Fraud Alert from Citibank
Dear Citibank Account Holder,
On January 10th, 2004 Citibank had to block some accounts in our system connected
with money laundering, credit card fraud, terrorism and check fraud activity.
The information in regards to those accounts has been passed to our correspondent
banks, local, federal and international authorities.
Due to extensive database operations some accounts may have been changed. We
are asking our customers to check their checking and savings accounts if they
are active or if their current balance is correct.
Citibank notifies all of it's customers in cases of high fraud or criminal activity
and asks you to check your account's balances. If you suspect or have found
any fraud activity on your account please let us know by in at the link below.
<Click Here to Login>
By clicking the 'Click Here to Login' button, the user is connected to a malicious
website which looks identical to the genuine Citibank website, and prompts the
user to provide their access codes and other credentials.
HTML viruses use scripts embedded in HTML files to do damage. These embedded
scripts automatically execute, the moment the HTML page is viewed from a script-enabled
Citibank has sent out alerts to its customers, not to fall for an e-mail that
urges them to log on to a website to verify that their accounts have not been
tampered with. The e-mail is similar to one last August when an Internet scammer
threatened to close Citibank checking accounts if customers failed to divulge
Other recent fake e-mails include one from Citibank Security Department
seeking account information to help the bank upgrade its computer servers, and
another from "Accounts Management" seeking credit card information
so that customers might "maintain the Citibank experience."
These are examples of "phishing"--the use of spam, or junk e-mail,
to lure people to bogus websites that look like those of reputable companies,
and deceive them into divulging personal data. The term is derived from the
act of computer thieves "fishing" for private data.
Customers receiving suspicious e-mails should notify Citibank at (www.citibank.com),
where a list of known fraudulent e-mails is posted.
The new e-mail, purporting to be from Citibank, said that on January 10, the
bank blocked some accounts "connected with money laundering, credit card
fraud, terrorism and check fraud activity." It said the bank sent account
data to government authorities, and may have changed some accounts.
"Citibank notifies all its customers in cases of high fraud or criminal
activity and asks you to check your account's balances," the e-mail said.
It provides a link "if you suspect or have found any fraud activity on
Trojan Horse poses as Windows XP update
A new Swen worm-like Trojan horse posing as a critical update from Microsoft
has been detected on the Internet, and users who open the e-mail message may
find their machines loaded with a backdoor.
Dubbed Trojan.Xombe (as in zombie), it shares some characteristics of the
Swen worm family; it poses as a message from Microsoft and alleges to carry
a security update in its file attachment. However, unlike Swen, a worm which
first appeared last September, Trojan.Xombe doesn't self-replicate.
The false message, which sports a spoofed sending address of firstname.lastname@example.org,
uses the subject line 'Windows XP Service Pack 1 (Express)Critical Update'
to trick recipients into opening the attached file.
"Windows Update has determined that you are running a beta version of Windows
XP Service Pack 1 (SP1)," the message's text reads in part. "To help
improve the stability of your computer, Microsoft recommends that you remove
the beta version of Windows XP SP1 and re-install Windows XP SP1." The
message goes on to urge the user to run the winxp_sp1.exe file attachment to
re-install SP1, and recommends that anti-virus software be disabled, as it "may
interfere with the installation."
Trojan.Xombe downloads a backdoor IRC Trojan horse to the compromised machine.
Once that's installed, attackers can access the PC undetected, add other code
to the computer--such as key trackers for acquiring passwordsand use the
machine to launch DoS attacks on other machines. Trojans are being integrated
into almost every piece of malicious code.
Hackers today want to amass an army of compromised machinestypically called
zombiesthat they can use for other purposes.
Position Last month Virus
Percentage of reports
1 New W32/Sober-C 23.3%
2 New W32/Mimail-K 21.3%
3 4 W32/Dumaru-A 13.8%
4 8 W32/Mimail-J 2.7%
5 2 W32/Mimail-C 2.2%
6= 6 W32/Gibe-F 1.9%
6= New W32/Mimail-I 1.9%
8 9 W32/Klez-H 1.8%
9= New W32/Torvil-A 1.6%
9= 2= W32/Mimail-F 1.6%
Position Hoax Percentage
1 Hotmail hoax 21.7%
2 Meninas da Playboy 15.2%
3 A virtual card for you
4 Bonsai kitten 5.3%
5 Press 9 5.2%
6 Budweiser frogs screensaver
7 JDBGMGR 4.0%
8 Elf Bowling 3.4%
9 Bill Gates fortune 3.2%
10 Frog in a blender/Fish
in a bowl 3.0%
11 Others 28.2%
(From January 9, 2004 to
January 15, 2004)
Source: Trend Micro