For the last few weeks there have been a series of quite authentic-looking phishing emails making the rounds, purporting to come from AT&T and informing the recipient that their bill is ready to view. The emails look nearly identical to a real bill and researchers say that users who fall for the ruse are going to be rewarded with a redirection to a site hosting the Blackhole exploit kit.
The attack vector and infection chain in this scenario are as old as the hills, but what sets this one apart are two specific things: the quality of the email itself and the fact that it’s ultimate payload is a piece of malware that many security products haven’t seen before. In most large-scale phishing attacks, the emails have a few fairly obvious mistakes or oddities that mark them as suspicious or malicious. This could include bad grammar (though these days that would mean about 99 percent of emails are suspicious), an odd or incorrect salutation or even the fact that the email body is a JPEG rather than text.
And, many phishing attacks also rely on commodity malware rather than custom tools, for reasons of both convenience and economy.
However, some of the more professional phishing crews take great care with their emails, especially the highly targeted spear-phishing messages that are used as part of targeted attacks. The fake AT&T emails fall into that category, with well-crafted text, official logos, headers and footers. But one clue that these emails are dodgy is the amount that’s supposedly owed by the recipient. It’s typically several hundred U.S. dollars, rather high for a phone bill.
Researchers at Websense have analyzed the phishing emails and found that when users click on the link in the emails, it takes them to a malicious site that attempts to exploit vulnerabilities in their browsers.
“Clicking on the link in the bogus message sends the user to a compromised Web server that redirects the browser to a Blackhole exploit kit. As a result, malware is downloaded onto the computer that is currently not detected by most antivirus products, according to VirusTotal,” Tamas Rudnai of Websense wrote in his analysis of the attack.
Once the victim’s machine has been compromised, the malware injects itself into some running processes and then contacts a remote server that’s part of a botnet. Rudnai said in his analysis that the malware used in the attack looks like it’s a variant of the Zeus family. There are a slew of Zeus versions out there, including some custom variants, and most of them are recognized by antimalware systems. But this one is only caught by about 25 percent of the products used by Virus Total, meaning it could be new.