The scam pretends to be Citibank replete with an authentic-looking website, according to cybersecurity news site BleepingComputer, which credits MalwareHunterTeam as the organization that discovered the scam.
The fake Citibank domain, or website address, is a convincing fake: "update-citi .com." That's a big first step in potentially fooling Citibank customers since scams often use domain addresses that are easily identifiable as fake.
The scam also uses a so-called Transport Layer Security (TLS) certificate and other security measures that “could easily cause people to believe they are submitting their personal information on a legitimate page,” according to BleepingComputer.
Security certificates lend additional credibility to the scam because they imply authenticity.
Here’s how the scam works: after a Citibank customer is fooled into entering their login information, they are shown forms that request personal information. That includes name, date of birth, address, the last four digits of their social security number, their debit card number and other card information that is typically requested like security codes, according to BleepingComputer.
“It is believed, but not confirmed, that during this period the phishing page will attempt to login to Citibank using the credentials provided by the victim,” the cybersecurity news site said.
“The tool is very easy to set up for any attack and that’s what makes it quite dangerous,” Pratik Savla, senior security engineer at cybersecurity firm Venafi, told Fox News. Often the bad guys will set up a typosquatted domain, such as www.yahooo.com, with an extra “o.” The customer then gets an email inviting them to the site. If the user falls for the bait, all requests to the phishing site can be sent back to the valid site.
(Editor's note: The above web address is for informational purposes only. Fox News strongly advises users not to click on it.)
“Additionally, all pages shown to the user can originate from the valid site. This tricks the user into entering both their primary and OTP [one-time password] credentials. Once done, the attacker can then hijack the session, getting access to the user’s info,” Savla said, referring to a one-time code sent to a cell phone for verification.
The unfortunate fact is many users are so distracted that it makes scams like this that much easier to pull off.
“Many users access their email and bank accounts on mobile devices, while multi-tasking (unfortunately for example, while driving), and this makes it harder to spot phishing sites,” Colin Bastable, CEO of security awareness & training company Lucy Security, told Fox News.