Phishing Messages May Include Highly-Personalized Information

Published: 2006-03-17
Last Updated: 2006-03-17 01:15:06 UTC
by Lenny Zeltser (Version: 3)
0 comment(s)

Phishing messages are becoming increasingly personalized in attempts to convince the recipients to trust originators of the messages. A phishing email recently submitted to us illustrates this trend. In this case, the message that arrived in the victim's inbox included the person's full name and postal address:

The message masqueraded as a CitiBusiness alert. The "click here" link led to a fraudulent website hosted at The whois record for indicated that the Russian domain was registered a few days prior to the attack.

Where does the personal data come from? In this incident, this victim rarely used his/her full name online, and the name was not included in phone directories. It is possible that the scammer obtained the data from diverse sources and was able to link the fields (name, email address, and postal address) together. More likely, the data originated from a website that stored billing details or from a compromised credit card processor. Yet another possibility is that the scammer purchased the data from legitimate consumer data providers. Even if the scammer was not certain that the victim's records were correct, even a small number of matches would increase the number of fooled victims.

If you were wondering what awaited the victim at the website set up for the phishing attack, wonder no more:

Mimicking the real CitiBusiness Online website, the phishing site allowed the victim to enter his/her Business Code by clicking on images of numbers in the form. The URL that brought the person to the fraudulent site included a unique identifier that allowed the site to track email recipients. It is possible that the identifier was used to pull up the victim's records from the fraudulent site's database; another possibility is that the victim's name and address were actually encoded in the URL string. As a result, two screens later, the victim was presented with his/her postal address and full name without having to supply them to the site:

After allowing the victim to correct the address, the site prompted the person for additional sensitive information, such as date of birth, social security number, and mother's maiden name:

We reported this phishing attempt to Anti-Phishing Working Group and Citibank. If you have witnessed highly-personalized phishing scams of this nature as well, please send us the details.

This note incorporates comments from several ISC handlers. I am very grateful for their contributions.

Lenny Zeltser
ISC Handler
0 comment(s)

Large Child porn Arrest and how to report it.

Published: 2006-03-15
Last Updated: 2006-03-17 02:01:26 UTC
by Johannes Ullrich (Version: 5)
0 comment(s)
Major news media reported today about a large child porn sting operation, which resulted in 27 arrests in several countries. In this context, if you find / observe such activity, please report it in the US to the National Center for Missing and Exploited Children. Please DO NOT send us any samples or links, but report it to the National Center's Cyber Tipline (see link on their home page).

The National Center for Missing and Exploited Children is tasked by the US government to coordinate the response in such cases and will forward reports to the appropriate law enforcement entities. Let us know if you know about similar entities in other countries and I will add respective links.

Links for other countries:
Standard Disclaimer: we do not endorse these sites and are not responsible for their content.
That being said these sites have been recommended by a number of readers and we check each one out to see if it looks useful and legit.

Germany: your local "LKA" (Landes Kriminal Amt). For a list, see the list of addresses.
Switzerland: (for all cyber crime)
for other countries, check

(Thanks to everyone submitting links!)

0 comment(s)
Diary Archives