CitiBank – A Phishing attempt

Spammers for now have been doing the rounds using fake CitiBank mailers into getting unsuspecting people to click fraudulent links. From ‘Fraud Protection Alert’ to ‘Change In eMail Address’ – these mails have been used to download malware in the background and siphon off user details.

Spammers have resorted to lure the Credit Card holders by providing incorrect information about their transactions. In order to ensure the validity of the statement, the unsuspecting victim clicks on the link.

Even though the mail address from where the mail has arrived is a genuine email-id but the spammers have spoofed this mail id. Upon closer inspection of the message headers, it is revealed that the mail is sent from a Turkey based server.

CitiBank Email Header

Geo-Location of the sender's IP

Given below is a snapshot of where the highlighted links point to and it isn’t CitiBank site, instead its pointing to hxxp://

Fake Email from Citibank

Upon investigating a little further, and prodding into the DNS records of the domain, the registrant is not Citibank.

Whois query for the domain

This time, however, upon clicking the link, a malware is downloaded which in turn infects your system.

In the event you cannot differentiate between a genuine and Phishing mail, always hover your cursor over the given hyperlink. The link will be displayed towards the bottom left of the screen.

Next time you click a link, make sure to check the domain the hyperlink actually points to.

We also investigated into the reason as to why Citi-Bank’s email-id was spoofed and we came across the SPF record being used by Citi-Bank’s domain, and we were surprised that it was incorrectly configured.

Hence, the mail-servers which received this email accepted the email but due to content verification , the email was tagged as SPAM. Had the SPF record been correctly configured then it would have been a different story.

SPF Record of

SPF record of


Its BHEK :

This entry was posted in eScan 11 and tagged . Bookmark the permalink.