Friday, April 21, 2006

Are Citibank crazy?

I blogged a while ago about Thunderbird's phishing filter trapping a seemingly innnocent mail. Now, a reader has forwarded to me a genuine email from Citibank that he says was trapped by Thunderbird. I'm not going to reproduce the email here because it contains private details of the user, but it is a valid Citibank message.

Thunderbird thinks it's a scam because Citibank uses one of the oldest phishing tricks in the book. The have a URL displayed in the message then when clicked goes to a totally different URL. Here's the offending HTML:

If you do not wish to receive future account-related email,
select the last option at the following link:
<a href="">

So the geniuses send out a message that disguises the link with the link


Shortly after the disguised link there's the following text which links to various sites with information about protecting yourself online. The first link takes you to a Citibank page which has a sub page about email security.
There are simple steps you can take to protect yourself from fraud while online, such as never sending personal or financial information by email. (We'll never ask for it.) For more information, please review the recommendations of the U.S. Government and others at the following sites:
On the email security page ( there are some examples of actual Citibank phish mails that almost certainly used the same technique of URL hiding that Citibank is employing!


Justin Mason said...

Yeah, Citi really don't seem to have the slightest clue of how to deal with their outbound mails and the phishing problem.

This is disappointing...

This is also why we in SpamAssassin don't use that kind of rule as an anti-phish test -- I blogged a bit about that here:

JoeChongq said...

Citibank isn't the only one. The ones I got from MBNA a few months ago really worried me. They appeared to be phishing mails and had a bit too much information, my full name and ending numbers of my account. Eventually I figured out it was legitimate, but how are regular people supposed to know the difference between phishing and real if the real ones are so strange?

MBNA uses for all it's email links and the email comes from that domain. This is one of their links:

<a href=""></a>