Fake AT&T Emails Using Blackhole Exploit Kit to Install Malware

For the last few weeks there have been a series of quite authentic-looking phishing emails making the rounds, purporting to come from AT&T and informing the recipient that their bill is ready to view. The emails look nearly identical to a real bill and researchers say that users who fall for the ruse are going to be rewarded with a redirection to a site hosting the Blackhole exploit kit.

For the last few weeks there have been a series of quite authentic-looking phishing emails making the rounds, purporting to come from AT&T and informing the recipient that their bill is ready to view. The emails look nearly identical to a real bill and researchers say that users who fall for the ruse are going to be rewarded with a redirection to a site hosting the Blackhole exploit kit.

The attack vector and infection chain in this scenario are as old as the hills, but what sets this one apart are two specific things: the quality of the email itself and the fact that it’s ultimate payload is a piece of malware that many security products haven’t seen before. In most large-scale phishing attacks, the emails have a few fairly obvious mistakes or oddities that mark them as suspicious or malicious. This could include bad grammar (though these days that would mean about 99 percent of emails are suspicious), an odd or incorrect salutation or even the fact that the email body is a JPEG rather than text.

And, many phishing attacks also rely on commodity malware rather than custom tools, for reasons of both convenience and economy.

However, some of the more professional phishing crews take great care with their emails, especially the highly targeted spear-phishing messages that are used as part of targeted attacks. The fake AT&T emails fall into that category, with well-crafted text, official logos, headers and footers. But one clue that these emails are dodgy is the amount that’s supposedly owed by the recipient. It’s typically several hundred U.S. dollars, rather high for a phone bill.

Researchers at Websense have analyzed the phishing emails and found that when users click on the link in the emails, it takes them to a malicious site that attempts to exploit vulnerabilities in their browsers.

“Clicking on the link in the bogus message sends the user to a compromised Web server that redirects the browser to a Blackhole exploit kit. As a result, malware is downloaded onto the computer that is currently not detected by most antivirus products, according to VirusTotal,” Tamas Rudnai of Websense wrote in his analysis of the attack.

Once the victim’s machine has been compromised, the malware injects itself into some running processes and then contacts a remote server that’s part of a botnet. Rudnai said in his analysis that the malware used in the attack looks like it’s a variant of the Zeus family. There are a slew of Zeus versions out there, including some custom variants, and most of them are recognized by antimalware systems. But this one is only caught by about 25 percent of the products used by Virus Total, meaning it could be new.

Suggested articles

Discussion

  • Anonymous on

    Is there ever an instance when you list how to correct a problem along with reporting it??

  • Anonymous on

    Does anyone know what the host(s) is for "contacts a remote server that's part of a botnet"

  • Independent on

    Due dilegence is the order of business these days! Just how gulable are we? Your bill is ready... DUH! Your social security number is being corrected, click **HERE** and enter all of your personal security information! We'll even pay you for your effort... Just give us your banks routing and account numbers! AND, the email doesn't even have your name in it... If you bite on this stuff, consider sending me $500.00 for a special security news letter that will instruct you on how to indemnify yourself from all future identity theft and malware infestation, forever, 100% money back, + an additional $500.00 on top of your original purchase price!

    Conditions: Offer is for one computer only. You must include the network adapter from that device and installing any other device that permits any kind of network access voids the warranty. 

    Nobody can protect you from your own gulability!

     

    C

  • Peggy on

    I have been receiving what look like authentic notifications from Comcast for the last two months that seem to be the same sort of thing. Correct logos, proper english, etc. Thing is that our Comcast account is not in my name, and as far as I know they have no clue I even exist. So the fact that I can "view my current bill here" does not suck me in.

     

  • Anonymous on

    Would iPad be vulnerable if link opened?
  • Anonymous on

    So far as I've seen, BHEK is Windows specific.  IOS devices needn't worry abouit  it yet.  Although, it is quite prolific.  Our network of about 2,000 machines sees about one attempted download every two weeks.  All of them drive-by-downloads due to IFrame injection.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.