Every link in the email leads to a different compromised site with malware hidden inside. In the example below this means nine (!) different URLS – most emails with links to email limit themselves to one or two links.
The links all follow a similar pattern as shown below:
· http://angelicascakes.com/mem-Jj4e/index.html
· http://decoragyn.com.br/mem-Jj4e/index.html
· http://www.databytez.com/Zyfyo-oh/index.html
· http://www.ncusinagem.com.br/Zyfyo-oh/index.html
The pattern is:
The index.html file tries to exploit at least the following known vulnerabilities:
· Libtiff integer overflow in Adobe Reader and Acrobat CVE-2010-0188
· Help Center URL Validation Vulnerability CVE-2010-1885
Recipients who are unsure whether the email they have received is genuine or not (the malicious version is a very accurate copy) should mouse-over the links. Genuine emails from AT&T will include AT&T website links. For example the "att.com" link will be the same in both places that it appears in the email – unlike the malicious version which uses two very different URLs.
Email Text:
Dear Customer,
Your monthly wireless bill for your account is now available online.
Total Balance Due: $943.01
Log in to myAT&T to view your bill and make a payment. Or register now to manage your account online. By dialing *PAY (*729) from your wireless phone, you can check your balance or make a payment - it's free.
Smartphone users: download the free app to manage your account anywhere, anytime.
Thank you,
AT&T Online Services