Outline
Email purporting to be from phone service provider AT&T claims that the recipient’s bill is ready for viewing. The recipient is urged to click a Login button to access the bill online.
Brief Analysis
The email is not from AT&T and it is not a genuine bill notification. Links in the message open a compromised website that automatically redirects users to other websites that harbour malware in the form of the Blackhole exploit kit.
Example
Subject: Your AT&T Bill is ready to be viewed
Your online bill is ready to be viewed
Dear Valued Customer,
A new bill for your AT&T account is ready.
Any payments completed after your bill period expires will not be shown in the bill amount listed directly below. If you have made a recent payment, please refer to the current balance on the Account Overview and the Bill & Payments pages.
Service | Account ending in | Bill Amount | Due Date
Home Phone | {Let:0 | $830.65 | 08/06/2012
Log in to online account management to view your bill and bill notices, maintain your email account or make a payment. If you are not registered for online account management, you must do so to view and print your bill and bill notices at www.att.com/managemyaccount. Log in to online account management to view your bill, maintain your email account or make a payment.
[Link Removed]
Thank you for choosing AT&T. We value your business and look forward to serving you!
Thank you
AT&T Online Services
www.att.com
Contact Us
AT&T Support – quick & easy support is available 24/7.
Moving Soon?
Saty Connected with AT&T. Visit us online
Detailed Analysis
This email, which appears as though it was sent by multinational telecommunications giant AT&T, claims that new bill for phone service is ready for viewing online. The email instructs recipients to click a “Log In” button to access AT&T’s online account management system to view the bill.
However, the email is not from AT&T and is not a genuine bill notification. The email is part of a criminal campaign to trick users into allowing malware to be installed on their computers. Those who click the “Log In” button in the email will be taken not to the AT&T website as they expect, but rather to a compromised website that further redirects them to a page that harbours a version of the Blackhole exploit kit. BlackHole is a web application used by criminals to exploit browser vulnerabilities as a means of downloading and installing trojans and other types of malware.
This attack is quite sophisticated, and according to Websense Security Labs, more than 200,000 of the fake emails may have already been distributed. The email comes complete with seemingly legitimate AT&T graphics and formatting. Those responsible for the attack hope that users, concerned at receiving a bill for such a large amount of money, will click the link without due forethought.
This campaign is very similar to earlier malware attacks including an April 2012 attack that consisted of fake bill emails claiming to be from Verizon Wireless. The Verizon variant also directed victims to compromised websites that contained the Blackhole exploit kit.
If you receive one of these bogus bill notification emails, do not click on any links or open any attachments that it may contain. When checking online accounts, it is always safest to access the account by entering its web address into your browser rather than by clicking links in an email. Also, always ensure that the latest security updates for your browser and operating system are installed on your computer and that you have up-to-date antivirus and anti-malware protection.
Original Source : https://www.hoax-slayer.net/fake-att-bill-emails-point-to-malware/