Ya’ll probably seen ‘phish’ e-mails which claim your Citibank / Amex / etc. account has been compromised and you need to log in and change your password, etc.

Of course the link they provide is to one of their snarky servers which lasciviously secret away your private data...

Still, checkout the header on this recent phish. Someone did a good job hiding that this e-m originated in South Korea.

 

Headers:

X-Apparently-To: bboerner@xxx.net via 206.190.37.168; Fri, 08 Oct 2004 06:27:39 -0700

X-YahooFilteredBulk: 218.235.114.182

X-Originating-IP: [218.235.114.182]

Return-Path: <support@citibank.com>

Received: from 207.115.57.50 (EHLO ylpvm19.prodigy.net) (207.115.57.50)

by mta809.mail.yahoo.com with SMTP; Fri, 08 Oct 2004 06:27:37 -0700

X-Header-Overseas: Mail.from.Overseas.source.218.235.114.182

X-Header-NoReverseIP: IP.name.lookup.failed[218.235.114.182]

X-Originating-IP: [218.235.114.182]

Received: from 207.115.57.16 ([218.235.114.182])

by ylpvm19.prodigy.net (8.12.10 083104/8.12.10) with SMTP id i98DRPqD004818;

Fri, 8 Oct 2004 09:27:28 -0400

X-Message-Info: myu/DS+7/QW/zvt+77/507105457115559

Received: from bracket161.wool.support@citibank.com (cowhide057.support@citibank.com [218.235.114.182])

by smtp-angeles.geiger.support@citibank.com (Postfix) with SMTP id 750JQ7F28B

for <bblow@swbell.net>; Sat, 09 Oct 2004 22:28:03 +0600

Received: from smtp-dar.shipboard.support@citibank.com ([218.235.114.182]) by z86-wot0.support@citibank.com with Microsoft SMTPSVC(5.0.5264.1336);

Sat, 09 Oct 2004 21:26:03 +0500

Received: from smtp-later.loudspeaker.support@citibank.com ([218.235.114.182]) by hcm8-gzi01.support@citibank.com with Microsoft SMTPSVC(5.0.5599.1020);

Sat, 09 Oct 2004 12:27:03 -0400

X-Message-Info: TIQH+%ND_LC_CHAR[1-3]633+ob+KK+02/869624546298029

Received: from sink.support@citibank.com ([5.210.154.4]) by aluminate.support@citibank.com with MailEnable ESMTP; Sat, 09 Oct 2004 19:25:03 +0300

Date: Sat, 09 Oct 2004 15:22:03 -0100

Message-Id: <59999540.19742@support@citibank.com>

From: Customer Support <support@citibank.com>

To: Bblow <bblow@swbell.net>

Subject: Dear customer your details have been compromised

MIME-Version: 1.0 (produced by klystronseance 9.1)

Content-Type: multipart/alternative;

boundary=“--36957779540356467”

Dear Customer:

Recently there have been a large number of cyber attacks pointing our database servers. In order to safeguard your account, we require you to sign on immediately.

This personal check is requested of you as a precautionary measure and to ensure yourselves that everything is normal with your balance and personal information.

This process is mandatory, and if you did not sign on within the nearest time your account may be subject to temporary suspension.

Please make sure you have your Citibank(R) debit card number and your User ID and Password at hand.

Please use our secure counter server to indicate that you have signed on, please click the link bellow:

http://xxx.xxx.xxx.xxx/citifi/

!! Note that we have no particular indications that your details have been compromised in any way.

Thank you for your prompt attention to this matter and thank you for using Citibank(R)

Regards,

Citibank(R) Card Department

(C)2004 Citibank. Citibank, N.A., Citibank, F.S.B.,

Citibank (West), FSB. Member FDIC.Citibank and Arc

Design is a registered service mark of Citicorp.