informa
Products & Releases

Scam Alert: AT&T Message Delivering Malware

Large outbreaks of phony AT&T wireless emails have been distributed in the past two days
Large outbreaks of phony AT&T wireless emails have been distributed in the last two days. The emails describe very large balances ($943 in the example below), that are sure to get aggravated customers clicking on the included links.

Every link in the email leads to a different compromised site with malware hidden inside. In the example below this means nine (!) different URLS – most emails with links to email limit themselves to one or two links.

The links all follow a similar pattern as shown below:

· http://angelicascakes.com/mem-Jj4e/index.html

· http://decoragyn.com.br/mem-Jj4e/index.html

· http://www.databytez.com/Zyfyo-oh/index.html

· http://www.ncusinagem.com.br/Zyfyo-oh/index.html

The pattern is: //

The index.html file tries to exploit at least the following known vulnerabilities:

· Libtiff integer overflow in Adobe Reader and Acrobat CVE-2010-0188

· Help Center URL Validation Vulnerability CVE-2010-1885

Recipients who are unsure whether the email they have received is genuine or not (the malicious version is a very accurate copy) should mouse-over the links. Genuine emails from AT&T will include AT&T website links. For example the "att.com" link will be the same in both places that it appears in the email – unlike the malicious version which uses two very different URLs.

Email Text:

Dear Customer,

Your monthly wireless bill for your account is now available online.

Total Balance Due: $943.01

Log in to myAT&T to view your bill and make a payment. Or register now to manage your account online. By dialing *PAY (*729) from your wireless phone, you can check your balance or make a payment - it's free.

Smartphone users: download the free app to manage your account anywhere, anytime.

Thank you,

AT&T Online Services

Recommended Reading: