Latest Threat Research: LetMeowIn – Analysis of a Credential Dumper

Get Informed


Citibank Phishing Baits Customers with Fake Suspension Alerts

An ongoing large-scale phishing campaign is targeting customers of Citibank, requesting recipients to disclose sensitive personal details to lift alleged account holds. The campaign uses emails that feature Citibank logos, sender addresses that look genuine at first glance, and content that is free of typos. The Citibank customers targeted in these attacks are informed that their account has been put on hold due to a suspicious transaction or a login attempt from someone else. Because of this, the attackers claim they should take urgent action to verify their accounts to avoid permanent suspension. If the embedded button is clicked, the victims are taken to a website that looks deceptively like a real Citibank portal, where they are requested to sign into their online account. Of course, any user ID and password pairs entered on this website go directly to the threat actors, who may then use the stolen credentials to compromise banking accounts and empty balances. Bitdefender has been tracking this campaign and reports the following statistical findings:

  • 81% of the phishing emails in this campaign target American users
  • 7% of the emails reached UK targets, and another 4% ended up in South Korean inboxes
  • 40% of these emails were sent from U.S. IP addresses, and 13% from Mexico

Apart from the tactic of creating urgency to cause the recipients to miss obvious signs of fraud and jump into action, phishing actors are also using lures promising enormous winnings. More specifically, Bitdefender has identified another large-volume phishing campaign whose distribution culminated between February 11 and 15, 2022, presenting the recipients with a chance to claim financial compensation from the United Nations. The trick employed in this case is to recognize the recipient as a scam victim, one of the 150 people who were deemed eligible for a compensation of $5,000,000 through Citibank. In other cases, the threat actors are doubling the amount to $10,500,000 and include more details in the email to convince the victim of its validity. However, in both cases, the fraud should be obvious, as this is neither how compensations work, nor at the level they would be awarded. For those that do fall for these emails, the scammers request that they fill out their full name, address, age, phone number, and a scanned copy of their national ID card. In this campaign, the details stolen by the victims cannot be directly used for fraudulent transactions but can be instead sold to other criminals on cybercrime markets.

Analyst Notes

Banks rarely inform users of important developments on their account via SMS or email, so whenever a message makes bold claims, call the bank directly and ask to speak to an agent. Do not call the phone numbers provided in the email but, instead, visit the bank’s official website and call the number listed on the contact page. Finally, never click on buttons embedded in the email body and always double-check the URL when preparing to enter login credentials.