Internet users are advised to be on the lookout for notifications claiming to come from Citibank. Entitled “Your Citi Credit Card statement is ready to view online,” the messages appear to legitimately come from the bank, but in reality they’re part of a malware distribution campaign.
The emails inform recipients that their balance is -$4,476 with the payment due date of January 1, 2013.
Those who rush to click on the link that appears to point to a legitimate Citibank website are taken to a domain that hosts the BlackHole exploit kit.
While analyzing this particular spam, I’ve noticed something interesting. If the site is opened with Chrome, victims are presented with a page that urges them to download and install a malicious Chrome update.
On the other hand, if the site is opened with other browsers, the user is almost immediately served a piece of malware via unpatched security holes in commonly utilized applications such as Java or Flash.
Experts have described this scenario a few days ago when they explained why the BlackHole exploit kit doesn’t like Chrome.
I advise everyone to be careful when opening such notifications. Be sure to check out the URL that hides behind the link before clicking on it.