Financial phishing campaigns are still a very common attack vector for cyber criminals looking to exploit consumers and businesses alike. Every year, thousands of individuals fall prey to these types of attacks and the financial repercussions are devastating. This week’s Threat Thursday post takes a look at a spam campaign aimed at Citibank customers. The email blast was spotted by our security research department late Monday evening in the final hours of Halloween. The campaign attempts to use social engineering tactics on Citibank customers in order to steal personal and financial information.
In a sample email shown below, customers are alerted to an account suspension due to account inactivity. The email then instructs customers to click on the provided URL in order to verify their account. Our team has observed through the various samples analyzed that the content of the message remains the same, however each sample is being sent to various recipients, many of whom share the same email domain name.
The link leads to an exploited WordPress blog that attempts to visually recreate Citibank’s official account sign in page. Upon analyzing the email headers in various samples, we’ve seen that the emails are being sent from a private email server not affiliated with Citibank or its subsidiaries. Most likely a computer infected with malware is acting as a relay for these messages to be sent through the email server.
AppRiver’s SecureTide engine has quarantined over 14,000 of these emails so far, with several rules in place to block future variants.