Citibank Phishing – Expert Comment And Analysis From Lucy Security CEO Colin Bastable

Any hacker can add a certificate to a phishing site. Even a free, 90-day one from the certificate industry’s Let’s Encrypt joint venture. In driving the adoption of certificates for all on-line businesses, the tech industry just ensures that consumers can be robbed securely and quickly. Many users access their email and bank accounts on mobile devices, while multi-tasking (unfortunately for example, while driving), and this makes it harder to spot phishing sites.

A certificate used to be taken as a sign of authenticity, but no longer.

As for the OTP triggering, hackers are at least as smart as the best white-hat developers, and are far more motivated.

They appear to have used a GoDaddy certificate to avoid the “http” trap. Immutable certificate logs show that the attack must have taken place between 8:30am Jan 20 and 22:30 on Jan 21, when it was revoked.

The attackers could have used one of two basic methods to create a realistically looking copy of the Citi bank. Web scraping can create an exact copy that you can instantly install on your own webserver. Another approach is to simply proxy communication between users and the genuine Citi bank website. Combining those two approaches may increase the time needed for detection. Using cached public pages would hide the traffic coming from a single, or a small number of IP addresses, although this can be also achieved by using a network of compromised servers – a botnet.

The fact is, using a proxy, it is a relatively simple matter for the hackers to display actual bank account data and add credibility to an attack.