[LUAU] How Does this Work?

MonMotha monmotha at indy.rr.com
Thu Apr 29 15:43:55 PDT 2004


R. Scott Belford wrote:
> I recently received, correct that, SpamAssassin filtered the following 
> email.  Researching it led me to these two links, among many
> 
> 
> http://www.inertramblings.com/archives/000454.html
> 
> http://www.millersmiles.co.uk/identitytheft/011104-citibank-email-scam.php
> 
> and I recall hearing of an unpatched IE bug that could lead to a false 
> url being displayed.  However, using mozilla on osx I was taken to the 
> "citibank.com" domain, and it was deceiving.  I just don't bank with 
> them.  Can anyone explain what is happening on a more technical level 
> than what I have found so far?

...

> To log into your account, please visit the online banking
> http://web.da-us.citibank.com&BVP=/cgi-bin/citifi/scripts/&M=S&US&_u=visitor 
> 
...

That link doesn't work for me in mozilla (brings up an error dialog), but the 
use of &BVP= is probably a weirdo escape sequence that rewrites .com into some 
odd cctld that someone bought up.  I've gotten a similar mail, but it was in 
HTML.  Did we possibly lose something in the HTML to plaintext conversion?


--MonMotha



More information about the LUAU mailing list