Citibank: Emailing Sensitive Private Credit Card Information to a Spamtrap

First Chase Bank sent marketing emails that contained personal names and credit card information to spamtraps. Now Citibank is doing the same thing. Today Citibank sent a bulk marketing email to an email address that, if it ever existed at all, has been closed since 2007. The email contained a name and the last four digits of a credit card number. Either Citibank is deliberately including made-up “customer” information to make bulk marketing email look more legitimate (which I doubt), or Citibank has badly mismanaged its customer list *AND* (worse) is including sensitive personal information in marketing emails that are going to unconfirmed and incorrect email addresses. The ESP is Epsilon Interactive via its ESP Bigfoot Interactive.

Sending IP: 206.132.3.184

Spam Sample:

Actual Headers:

Received: from bigfootinteractive.com (arm184.bigfootinteractive.com [206.132.3.184])
        by <xxx> (Postfix) with ESMTP id <xxx>
        for <xxx>; Mon, 21 Nov 2011 12:xx:xx -0600 (CST)
DKIM-Signature: <xxx>
DomainKey-Signature: <xxx>
Received: from [192.168.xx.xx] ([192.168.xx.xx:xx] helo=<xxx>)
        by <xxx>.epsiloninteractive.com (envelope-from <<xxx>@info.citibank.com>)
        (ecelerity 2.2.2.45 r(<xxx>)) with ESMTP
        id <xxx>; Mon, 21 Nov 2011 13:xx:xx -0500
Reply-To: =?iso-8859-1?B?<xxx>=?= <1<xxx>@info.citibank.com>
Bounces_to: citicards.<xxx>@info.citibank.com
Message-ID: <<xxx>@info.citibank.com>
X-SS: <xxx>
X-BFI: <xxx>
Date: Mon, 21 Nov 2011 13:xx:xx EST
From: =?iso-8859-1?B?<xxx>==?= <citicards@info.citibank.com>
Subject: Up to $250 back on purchases - a benefit of your Citi Card
To: <xxx>
MIME-Version: 1.0
Content-Type: multipart/alternative;
  boundary="<xxx>"

Readable Email:

From: <xxx> <citicards@info.citibank.com>
To: <spamtrap>
Subject: Up to $250 back on purchases – a benefit of your Citi Card
Reply-To: <xxx> <1<xxx>@info.citibank.com>

Citi(R)

Add citicards@info.citibank.com to your address book to ensure delivery.

Cardmember: <xxx>
Account Ending In: <xxx>
Member Since: <xxx>

Please visit the following link to view your message:
http://info.citibank.com/<xxx>

<removed>

This is a message from Citi Cards. If you’d like to refine the types of email messages you receive, or if you’d prefer to stop receiving email from us, please go to:

http://info.citibank.com/<xxx>

Citibank manages email preferences by line of business. Changing your email preferences with Citi Cards does not change your email preferences for messages from Citibank’s other businesses which include retail
branch banking among others.

Should you want to contact us in writing concerning this email, please direct your correspondence to:

Citibank, N.A. Customer Service
P.O. Box 6500
Sioux Falls, SD 57117

2 Responses to Citibank: Emailing Sensitive Private Credit Card Information to a Spamtrap

  1. Pingback: Citibank: Sending “Thank You” Reward Emails to 8-Years-Dead Spamtrap! » MainSleaze

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Go back to top