Websense Security Labs Blog

Websense Security Labs discovers, investigates and reports on advanced Internet threats that traditional security
research methods miss.

Fake AT&T email Installs Malware

View all posts > 

Fake AT&T email Installs Malware

Posted: 02 Aug 2012 10:34 AM | Tamas Rudnai | 2 comment(s)

Websense® ThreatSeeker® Network detected a massive phishing campaign targeting AT&T customers. More than 200,000 fake emails are masquerading as billing information from the giant American communication services provider. Each message claims that there is a bill of a few hundreds US dollars. 


In itself, the amount of money could be big enough to raise suspicion in most of us. Also, it is easy to see when the mouse cursor hovers over the link that the target Web address is different from the one displayed in the text of the message. Websense Security Labs highly recommends that you not click links in emails. Instead, manually type the legitimate domain name into your favorite browser and access the website that way.



Clicking on the link in the bogus message sends the user to a compromised Web server that redirects the browser to a Blackhole exploit kit. As a result, malware is downloaded onto the computer that is currently not detected by most antivirus products, according to VirusTotal


ThreatScope analysis, part of our CSI service, shows that the malware is part of the Cridex family. It drops files into the Application Data and Temp folders, and then injects code into other processes running on the computer, for example Internet Explorer and Adobe Reader. After this, it accesses a Bot network where the attacker can instruct the malware to take further actions. You can see the full report in our AceInsight portal.



Websense customers are protected by our Advanced Classification Engine (ACE).


Special thanks to: Mary Grace Timcang, Elad Sharf and Patrik Runald


Manny said on Friday, August 3, 2012 6:55 PM

Selected link on iPad, obvious fake. Is iPad safe from this AT&T fake link?

Tamas Rudnai said on Monday, August 6, 2012 10:02 AM

Although there are exploits in the wild for jailbraking iPhone and iPad, cyber criminals are typically not targeting these devices. Having said that, Websense Security Labs highly recommends to use the latest iOS updates from Apple and to avoid visiting malicious websites. For further information on mobile security click on the following link: www.websense.com/.../mobile-solutions.aspx

Leave a Comment


Email address: (required)