I got this email this afternoon.
Now, it may or may not be obvious, but that is definitely a phishing email. Firstly, I don't have a Citibank account. Secondly, why would Citibank take me to a site that isn't related to citi.com? Thirdly, "undisclosed recipients"...
Let's take a look at the page, it's ok, they aren't installing anything and most of the buttons don't work.
It's ok to click
If you click around, the only areas that actually do anything are located where the user would sign in. If you click on Ingresar en espanol, you will find that it goes to a page that isn't located on the server this page is located. Also, the whole top of this page is one image. Here, look.
Here is the top of the page
Also, if you go to Citibank's actual site, it looks a little more polished. Citibank
Now, we can go to Who.is and put in exitaudiovisuales.com. Here is what we find.
Domain name: EXITAUDIOVISUALES.COM
Created on: 1997-03-03
Updated on: 2012-03-02
Expires on: 2013-03-04
Registrant Name: AUDIOVISUALES EXIT, SL
Contact: Audiovisuales Exit, SL
Registrant Address: Consell de cent, 77
Registrant City: Barcelona
Registrant Postal Code: 08015
Registrant Country: ES
Administrative Contact Organization: Audiovisuales Exit S.L
Administrative Contact Name: Miguel Angel Leon Garcia null
Administrative Contact Address: Consell de Cent 77
Administrative Contact City: Barcelona
Administrative Contact Postal Code: 08015
Administrative Contact Country: ES
Administrative Contact Email:
@disvirtual.comAdministrative Contact Tel: +34 932928330
Technical Contact Organization: Juan Poblet
Technical Contact Name:
Technical Contact Address: Balmes 229
Technical Contact City: arcelona
Technical Contact Postal Code: 0800
Technical Contact Country: null
Technical Contact Email:
@disvirtual.comSo, what does this mean? This is a Brazilian site looking for Citibank information.
Now, if you will look at the arrests that have happened the last few months of the hacker sects of 4chan.org's Anonymous, and the twitter feeds of an Anonymous brazilian counterpart, Havittaja, there is a lot of brazilian activity. So, this is obviously a site looking for you to put your information into it so that the person who set it up can get into your account.
Why does this matter? Why did I break down the information? Why did I go through so many steps if I knew it was phishing from the get go?
To educate. We see on Facebook, all the time, people screaming that they got hacked. Or someone saying they hacked another person by abusing the trust of someone who didn't log out when they left the room. This isn't hacking. This is social engineering and, in the case of the latter, abusing the trust of someone you know. Now you know and knowing is half the battle.
