August 10, 2012Dancho Danchev By Dancho Danchev

Cybercriminals impersonate AT&T’s Billing Service, serve exploits and malware

Cybercriminals have launched yet another massive spam campaign, this time impersonating AT&T’s Billing Center, in an attempt to trick end and corporate users into downloading a bogus Online Bill.

Once gullible and socially engineered users click on any of the links found in the malicious emails, they’re automatically redirected to a Black Hole exploit kit landing URL, where they’re exposed to client-side exploits, which ultimately drop a piece of malicious software on the affected hosts.

More details:

Screenshot of the spamvertised email:

Spamvertised compromised URls: hxxp://

Client-side exploits serving URL: hxxp://

Client-side exploits served: CVE-2010-1885

Upon successful client-side exploitation, the campaigns drops MD5: c497b4d6dfadd4609918282cf91c6f4e on the infected hosts, currently detected by 19 out of 41 antivirus scanners as Trojan.Generic.KD.687203; W32/Cridex-Q.

Once executed, the sample phones back to hxxp:// We’ve already seen the same command and control served used in several malware-serving campaigns, namely, the Craigslist spam campaign, the PayPal spam campaign, the eBay spam campaign, and the American Airlines themed spam campaign.

As we already predicted, cybercriminals will continue rotating popular brands, introduce new email templates, and newly undetected pieces of malware in an attempt to achieve a higher click-through rate for their malicious campaigns.

AT&T outlines this threat on their site.

Webroot SecureAnywhere users are proactively protected from this threat.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.

Share Button

2 Responses to Cybercriminals impersonate AT&T’s Billing Service, serve exploits and malware

  1. Pingback: AT&T look alike billing malware |

  2. Pingback: Cybercriminals spamvertise bogus greeting cards, serve exploits and malware « Webroot Threat Blog

Leave a Reply

Your email address will not be published. Required fields are marked *