August 2, 2012

Fake AT&T email Installs Malware

Tamas Rudnai

Websense® ThreatSeeker® Network detected a massive phishing campaign targeting AT&T customers. More than 200,000 fake emails are masquerading as billing information from the giant American communication services provider. Each message claims that there is a bill of a few hundreds US dollars.  

In itself, the amount of money could be big enough to raise suspicion in most of us. Also, it is easy to see when the mouse cursor hovers over the link that the target Web address is different from the one displayed in the text of the message. Websense Security Labs highly recommends that you not click links in emails. Instead, manually type the legitimate domain name into your favorite browser and access the website that way. 


Clicking on the link in the bogus message sends the user to a compromised Web server that redirects the browser to aBlackhole exploit kit. As a result, malware is downloaded onto the computer that is currently not detected by most antivirus products, according to VirusTotal.  

ThreatScope analysis, part of our CSI service, shows that the malware is part of the Cridex family. It drops files into the Application Data and Temp folders, and then injects code into other processes running on the computer, for example Internet Explorer and Adobe Reader. After this, it accesses a Bot network where the attacker can instruct the malware to take further actions. You can see the full report in our AceInsight portal. 


Websense customers are protected by our Advanced Classification Engine (ACE).


Special thanks to: Mary Grace Timcang, Elad Sharf and Patrik Runald

About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.