Citi Group clients are targeted by scammers who collect passwords and open backdoors for unauthorized remote attackers or download malware on the compromised systems. The attack seems part of a greater campaign conducted by the group behind other malicious spam messages that in January had Better Business Bureau and DocuSign clients open malicious attachments sworn to be legitimate, confidential and time sensitive. Some instances appear to also download components of the BlackHole or ZeuS exploit kits. The emails include a link and an attachment, but the attachment is a password stealer that opens a backdoor for remote attackers.”]