Cybercriminals impersonate AT&T’s Billing Service, serve exploits and malware

by

Share this news now.

Cybercriminals have launched yet another massive spam campaign, this time impersonating AT&T’s Billing Center, in an attempt to trick end and corporate users into downloading a bogus Online Bill.

Once gullible and socially engineered users click on any of the links found in the malicious emails, they’re automatically redirected to a Black Hole exploit kit landing URL, where they’re exposed to client-side exploits, which ultimately drop a piece of malicious software on the affected hosts.

More details:

Screenshot of the spamvertised email:

Spamvertised compromised URls: hxxp://fitlyspoken.org/wp-admin/atbilred.htmlhxxp://tomruff.net/wp-admin/atbilred.htmlhxxp://skiclub-marbach.ch/modules/atbilred.htmlhxxp://patientshealthtips.com/wp-admin/atbilred.htmlhxxp://ecmconnection.com.br/banners/atbilred.htmlhxxp://ooesv.at/modules/atbilred.htmlhxxp://jaguarloszer.eu/css/atbilred.htmlhxxp://andrevanos.nl/robeco/atbilred.htmlhxxp://argusoft.de/ak/atbilred.htmlhxxp://adviko.ru/doc/atbilred.htmlhxxp://issueswithaging.com/wp-content/plugins/zeaaiumxqqi/atbilred.htmlhxxp://montecorneo.com/images/atbilred.htmlhxxp://qisas.com/wp-admin/atbilred.htmlhxxp://elecok.de/modules/atbilred.htmlhxxp://odessa-ua.net/modules/atbilred.htmlhxxp://ezitis.lv/wp-admin/atbilred.htmlhxxp://lostsoul.ro/wp-content/plugins/zdopwbrdkyv/atbilred.htmlhxxp://masoncerbone.com/wp-content/plugins/zeeyseapoee/atbilred.htmlhxxp://deafplus.us/wp/wp-content/plugins/zfoorahmuib/atbilred.htmlhxxp://hexbugnano.co.uk/wp-content/plugins/zexjtehgupg/atbilred.htmlhxxp://ecmconnection.com.br/banners/atbilred.html

Client-side exploits serving URL: hxxp://advancementwowcom.org/main.php?page=19152be46559e39d

Client-side exploits served: CVE-2010-1885

Upon successful client-side exploitation, the campaigns drops MD5: c497b4d6dfadd4609918282cf91c6f4e on the infected hosts, currently detected by 19 out of 41 antivirus scanners as Trojan.Generic.KD.687203; W32/Cridex-Q.

Once executed, the sample phones back to hxxp://87.204.199.100:8080/mx5/B/in/. We’ve already seen the same command and control served used in several malware-serving campaigns, namely, the Craigslist spam campaign, the PayPal spam campaign, the eBay spam campaign, and the American Airlines themed spam campaign.

As we already predicted, cybercriminals will continue rotating popular brands, introduce new email templates, and newly undetected pieces of malware in an attempt to achieve a higher click-through rate for their malicious campaigns.

AT&T outlines this threat on their site.

Webroot SecureAnywhere users are proactively protected from this threat.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.


Share this news now.
Cybercriminals impersonate AT&T's Billing Service, serve exploits and malware by

Trackbacks

  1. [...] reading :  Cybercriminals Impersonate AT&T billing This entry was posted in Uncategorized by . Bookmark the [...]

  2. [...] this command and control server used in numerous profiled campaigns, such as, for instance, the AT&T Billing Center impersonation one, the Craigslist spam campaign, the PayPal spam campaign, the eBay spam campaign, and the [...]