SpamBITS

Straight to the point. Nice scheme - we want your money, just enter your info. This is interesting email since it combines several techniques. Is this SPAM? This is obvious. This is a typical spam with one main purpose - get as much as they can. This is so called phishing spam. The mail subjects can vary a lot, but there are several SPAM symptoms. There are several common patterns that you can see in all spam of this kind. Lets see them.

Look at the subject again:
ATTENTION: CUSTOMERS Citizens Bank Money Manager GPS Online
The name of the bank is Citizens Bank and the email is sent from:
- mmanagerfraud@citizens.com
Wow! Its seems real, isn’t it. If you open the citizens.com you will find out that it redirects to https://www.citizensbank.ca/
This will also make you think that all seems OK.

The email headers are interesting but… there is one interesting thing in the spam content.

First, lets look at the content (do not click the links)

Caution:

We continue to be informed that customers and non-customers are receiving fraudulent phishing emails requesting confidential information
and credentials. As a reminder, the bank will NOT send customers unsecured email or other correspondence requesting that they confirm
or provide Customer ID’s User ID’s, card numbers, social security number or PINs and passwords. As always, if you receive any unsolicited e-mails,
phone calls, faxes or other suspicious attempts to gain personal or confidential information, please e-mail us at fraudprevention@cfgcustomers.com
or call Cash Management Client Services at 1-877-550-5933, Monday to Friday, 7 a.m. to 6 p.m. ET. For Additional information please see the events page.

Follow this link to confirm your challenge questions:

Citizens Bank Money Manager GPS Online Services

Sincerely,
Citizens Bank Fraud Department

© 2007 Citizens Bank Online, Inc. All Rights Reserved

They are simply playing - trying to make you feel more comfortable claiming that his email is trustworthy. While reading it you began to trust it - they do not want anything? No Credit Card info, No Bank accounts, nothing… Just the secret question!
Did you click the link? This is what the spammer expects - to click. The original link points to
http://securelogin-07773417.citizensbank.com.rx30.org/Online_Form.htm
and the HTML code build to delude you is:

<a target=”_top” onmouseover=”window.status = ‘https://www.citizensbankmoneymanagergps.com/’; return true” onmouseout =”window.status=”; return true” href=”http://securelogin-07773417.citizensbank.com.rx30.org/Online_Form.htm”> Citizens Bank Money Manager GPS Online Services</a>

The purpose is to trick you when you go with the mouse over the link - you will see in the browser status bar or the email client bar the address: www.citizensbankmoneymanagergps.com

But the link points to somewhere else. Even if we look at malicious URL we can be mislead because it is too long and begins with
securelogin-07773417.citizensbank.com
The spammer relays on that some mail clients and browsers will not show the full address but only part of it including citizensbank.com

If we divide the URL by dots we will get:

1. securelogin-07773417
2. citizensbank.com
3. rx30.org

And we realize that the original domain to which the link points to is rx30.org which does not belong to the bank and has nothing in common with it.

Now lets check the email headers - the speechless witnesses

Only part of them are interesting - the one that gives most information:

Return-path:
Delivery-date: Mon, 24 Sep 2007 23:16:56 +0300
Received: from [200.104.201.81] (helo=pc-81-201-104-200.cm.vtr.net)
(envelope-from )
id 1IZuMN-000508-E8
Received: from [200.104.201.81] by mail.aps-now.com; Mon, 24 Sep 2007 16:17:38 -0400
Date: Mon, 24 Sep 2007 16:17:38 -0400
From: “Citizens Bank Money Manager GPS Online Support”
X-Mailer: The Bat! (v3.80.03) Professional
Reply-To: Emilio.Thompson@aps-now.com

What they are telling us?
The email address in the <From> -mmanagerfraud@citizens.com is different than the <Reply-To> - Emilio.Thompson@aps-now.com
If we reply this email it will go to someone at aps-now.com
Quite suspicious, isn’t it?

• Than the IP from which the email was sent is 200.104.201.81 This IP address is neither the citizens.com nor the aps-now.com web site.
• Next to it we see the host name - pc-81-201-104-200.cm.vtr.net which belongs to an internet provider vtr.net in Santiago.
• Third, in the <X-Mailer> tag the email client from which the email was sent - The Bat! (v3.80.03) Professional.

Did I forget to tell you that the email was very ugly? The code was very unprofessional and the images were like attachments that will never get visualized.
Do you think that a bank will contact their clients in this way?

Combining all the facts we can conclude - this is a SPAM email. And this is not an innocent SPAM (if we can tell spam can be innocent). This one is targeting the customer of the Citizens Bank. Probably hundreds of thousands of emails were sent. The spammer expects that some of the victims are clients of the bank and will be mislead.
Of course you will not be one of the mislead

Hope you enjoy!