Your AT&T wireless bill may link to malware

Large outbreaks of phony AT&T wireless emails have been distributed in the last 2 days. The emails describe very large balances ($943 in the example below), that are sure to get aggravated customers clicking on the included links. 

Every link in the email leads to a different compromised site that has malware hidden inside. In the example below this means nine (!) different URLS – most emails with links to email limit themselves to one or two links.

The links all follow a similar pattern as shown below:

  • http://angelicascakes.com/mem-Jj4e/index.html
  • http://decoragyn.com.br/mem-Jj4e/index.html
  • http://www.databytez.com/Zyfyo-oh/index.html
  • http://www.ncusinagem.com.br/Zyfyo-oh/index.html

The pattern is: //

The index.html file tries to exploit at least the following known vulnerabilities:

  • Libtiff integer overflow in Adobe Reader and Acrobat – CVE-2010-0188
  • Help Center URL Validation Vulnerability – CVE-2010-1885

Recipients who are unsure whether the email they have received is genuine or not (the malicious version is a very accurate copy) should mouse-over the links. Genuine emails from AT&T will include AT&T website links. For example the “att.com” link will be the same in both places that it appears in the email – unlike the malicious version which uses 2 very different URLs.

The fully functional homepage of one of the compromised sites is shown below. For more information about compromised websites see Commtouch’s report compiled in association with StopBadware.

Email Text:

Dear Customer,

Your monthly wireless bill for your account is now available online.

Total Balance Due: $943.01

Log in to myAT&T to view your bill and make a payment. Or register now to manage your account online. By dialing *PAY (*729) from your wireless phone, you can check your balance or make a payment – it’s free.

Smartphone users: download the free app to manage your account anywhere, anytime.

Thank you,

AT&T Online Services