Citibank Phishing Campaign Leads to ZeuS Malware
![](https://documents.trendmicro.com/images/citibank_zeus.jpg)
Spammed messages that land users to websites hosting black hole exploit kits are spotted in the wild again. This phishing campaign purports to come from Citibank and makes use of a legitimate Citibank email notification template to trick users into thinking it is legitimate. It bore the subject, Your Citi Credit Card Statement and has a forged header information. In addition, the visible URLs in the email message are also legitimate Citibank URLs so unwary users may fall into this lure.
It contains a URL that redirects to a site hosting a malicious JavaScript.
![](https://documents.trendmicro.com/images/citibank_malpage.jpg)
![](https://documents.trendmicro.com/images/citibank_javacode.jpg)
The said script points users to a black hole exploit kit server http://{BLOCKED}.{BLOCKED}.39.83. This then executes the exploit code to install various malware onto infected systems. Black hole exploit kits are known to take advantage of various software vulnerabilities to execute ZeuS malware.
- ENGINE:
- PATTERN:8904