Scam Number: +1 940-977-1491
Domain Used: http://citi-hub.co
Extra Info:
Received a text message on my personal cell:
CITI Alerts: Your online banking has been disabled due to an unusual activity on the account. To verify please visit http://citi-hub.co
I actually do have a Citi card, but this smells like a scam to me.
First, why hasn’t anybody proofread their scripts? “an unusual activity” on “the” account? Try “unusual activity” on “your” account, please. ![]()
Second, nice domain. Lets see who owns it.
──(rootkali)-[~]
└─# whois citi-hub.co
Domain Name: citi-hub.co
Registry Domain ID: DBC2FCCFE462A45FC87F6448794FE56C2-GDREG
Registrar WHOIS Server:
Registrar URL: www.name.com
Updated Date: 2022-06-07T15:14:42Z
Creation Date: 2022-06-07T15:14:29Z
Registry Expiry Date: 2023-06-07T15:14:29Z
Registrar: Name.com, Inc.
Registrar IANA ID: 625
Registrar Abuse Contact Email: [email protected]
Registrar Abuse Contact Phone: +1.7203101849
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Domain Status: addPeriod https://icann.org/epp#addPeriod
Registry Registrant ID: REDACTED FOR PRIVACY
Registrant Name: REDACTED FOR PRIVACY
Registrant Organization: Domain Protection Services, Inc.
Registrant Street: REDACTED FOR PRIVACY
Registrant Street: REDACTED FOR PRIVACY
Registrant Street: REDACTED FOR PRIVACY
Registrant City: REDACTED FOR PRIVACY
Registrant State/Province: CO
Registrant Postal Code: REDACTED FOR PRIVACY
Registrant Country: US
Registrant Phone: REDACTED FOR PRIVACY
Registrant Phone Ext: REDACTED FOR PRIVACY
Registrant Fax: REDACTED FOR PRIVACY
Registrant Fax Ext: REDACTED FOR PRIVACY
Registrant Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name.
Registry Admin ID: REDACTED FOR PRIVACY
Admin Name: REDACTED FOR PRIVACY
Admin Organization: REDACTED FOR PRIVACY
Admin Street: REDACTED FOR PRIVACY
Admin Street: REDACTED FOR PRIVACY
Admin Street: REDACTED FOR PRIVACY
Admin City: REDACTED FOR PRIVACY
Admin State/Province: REDACTED FOR PRIVACY
Admin Postal Code: REDACTED FOR PRIVACY
Admin Country: REDACTED FOR PRIVACY
Admin Phone: REDACTED FOR PRIVACY
Admin Phone Ext: REDACTED FOR PRIVACY
Admin Fax: REDACTED FOR PRIVACY
Admin Fax Ext: REDACTED FOR PRIVACY
Admin Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name.
Registry Tech ID: REDACTED FOR PRIVACY
Tech Name: REDACTED FOR PRIVACY
Tech Organization: REDACTED FOR PRIVACY
Tech Street: REDACTED FOR PRIVACY
Tech Street: REDACTED FOR PRIVACY
Tech Street: REDACTED FOR PRIVACY
Tech City: REDACTED FOR PRIVACY
Tech State/Province: REDACTED FOR PRIVACY
Tech Postal Code: REDACTED FOR PRIVACY
Tech Country: REDACTED FOR PRIVACY
Tech Phone: REDACTED FOR PRIVACY
Tech Phone Ext: REDACTED FOR PRIVACY
Tech Fax: REDACTED FOR PRIVACY
Tech Fax Ext: REDACTED FOR PRIVACY
Tech Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name.
Name Server: ns3dgj.name.com
Name Server: ns4lpv.name.com
Name Server: ns2fjz.name.com
Name Server: ns1cvw.name.com
DNSSEC: unsigned
URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/
>>> Last update of WHOIS database: 2022-06-08T07:21:28Z <<<
Completely redacted, registered at name.com just yesterday. [email protected] added to the report list.
It should be noted that Citibank does not redact their registration information.
So next, who is hosting this?
┌──(rootkali)-[~]
└─# nslookup citi-hub.co
Server: 10.8.8.8
Address: 10.8.8.8#53
Non-authoritative answer:
Name: citi-hub.co
Address: 35.196.15.137
┌──(rootkali)-[~]
└─# whois 35.196.15.137
#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/resources/registry/whois/tou/
#
# If you see inaccuracies in the results, please report at
# https://www.arin.net/resources/registry/whois/inaccuracy_reporting/
#
# Copyright 1997-2022, American Registry for Internet Numbers, Ltd.
#
NetRange: 35.192.0.0 - 35.207.255.255
CIDR: 35.192.0.0/12
NetName: GOOGLE-CLOUD
NetHandle: NET-35-192-0-0-1
Parent: NET35 (NET-35-0-0-0-0)
NetType: Direct Allocation
OriginAS:
Organization: Google LLC (GOOGL-2)
RegDate: 2017-03-21
Updated: 2018-01-24
Comment: *** The IP addresses under this Org-ID are in use by Google Cloud customers ***
Comment:
Comment: Direct all copyright and legal complaints to
Comment: https://support.google.com/legal/go/report
Comment:
Comment: Direct all spam and abuse complaints to
Comment: https://support.google.com/code/go/gce_abuse_report
Comment:
Comment: For fastest response, use the relevant forms above.
Comment:
Comment: Complaints can also be sent to the GC Abuse desk
Comment: ([email protected])
Comment: but may have longer turnaround times.
Ref: https://rdap.arin.net/registry/ip/35.192.0.0
Allright, so it’s hosted in Google Cloud. Added [email protected] to the list. Google also requests you use their web form to report abuse.
I also went on Citi’s real website and found [email protected] as a reporting address for phishing attempts.
OK, now let’s take a look at the site.
First I tried logging in through my VPN connection, and got this:
hmmm seems like maybe they don’t want VPN connections. Interesting link at the very end, which points to a telegram address Telegram: Contact @CO_DEAD
URLSCAN.IO is also blocked.
Finally managed to get to the scam page, it looks pretty solid
Except of course they are NEVER going to ask for that information if there’s actually a problem.
Gave them some fake info, and it popped up what LOOKED like citi’s home page, but inspecting elements still showed everything was from citi-hub.co. After 2 “failed” login attempts it then redirected me to the real Citi page.
Looks like that’s as far as I can go, so sent off report to Google, Citi, and Name.Com

