Fake AT&T wireless bill links to malware

Large outbreaks of phony AT&T wireless emails have been distributed in the last two days, according to Commtouch. The emails describe very large balances ($943 in the example below), that are sure to get aggravated customers clicking on the included links.

Every link in the email leads to a different compromised site with malware hidden inside.

The pattern is: legitimate domain / recurring set of random letters / index.html

The index.html file tries to exploit at least the following known vulnerabilities:

  • Libtiff integer overflow in Adobe Reader and Acrobat: CVE-2010-0188
  • Help Center URL Validation Vulnerability: CVE-2010-1885.

Recipients who are unsure whether the email they have received is genuine or not (the malicious version is a very accurate copy) should mouseover the links. Genuine emails from AT&T will include AT&T website links. For example the “att.com” link will be the same in both places that it appears in the email – unlike the malicious version which uses two very different URLs.