When you land on a subdomain like cmprofile.cards.citidirect.com, the name suggests a connection to Citibank's card profile system. But the site itself is a blank wall: it returns a 'Bad Request' error, with no homepage, no login page, and no clues about its purpose. For a backend system, that might be normal, but for anyone who stumbled here by accident, there's nothing to trust or use.
Legitimate bank subdomains usually have working pages, proper security headers, and at least some indication of who operates them. While the SSL certificate is valid and no malware warnings appear, the lack of any visible content or way to contact someone makes this a dead end. The WHOIS record for this subdomain doesn't exist, which is common for subdomains, but it also means we can't verify ownership from that angle.
If you're asking 'is cmprofile.cards.citidirect.com a scam' β there's no evidence of malicious intent, but there's also no evidence this is a functioning site you should interact with. Don't submit any personal information or attempt to log in. The safest move is to treat it as a misconfigured or abandoned endpoint until there's proof it's meant for public use.