Cybercriminals have launched yet another massive spam campaign, this time impersonating AT&T’s Billing Center, in an attempt to trick end and corporate users into downloading a bogus Online Bill.

Once gullible and socially engineered users click on any of the links found in the malicious emails, they’re automatically redirected to a Black Hole exploit kit landing URL, where they’re exposed to client-side exploits, which ultimately drop a piece of malicious software on the affected hosts.

More details:

Screenshot of the spamvertised email:

Spamvertised compromised URls: hxxp://fitlyspoken.org/wp-admin/atbilred.htmlhxxp://tomruff.net/wp-admin/atbilred.htmlhxxp://skiclub-marbach.ch/modules/atbilred.htmlhxxp://patientshealthtips.com/wp-admin/atbilred.htmlhxxp://ecmconnection.com.br/banners/atbilred.htmlhxxp://ooesv.at/modules/atbilred.htmlhxxp://jaguarloszer.eu/css/atbilred.htmlhxxp://andrevanos.nl/robeco/atbilred.htmlhxxp://argusoft.de/ak/atbilred.htmlhxxp://adviko.ru/doc/atbilred.htmlhxxp://issueswithaging.com/wp-content/plugins/zeaaiumxqqi/atbilred.htmlhxxp://montecorneo.com/images/atbilred.htmlhxxp://qisas.com/wp-admin/atbilred.htmlhxxp://elecok.de/modules/atbilred.htmlhxxp://odessa-ua.net/modules/atbilred.htmlhxxp://ezitis.lv/wp-admin/atbilred.htmlhxxp://lostsoul.ro/wp-content/plugins/zdopwbrdkyv/atbilred.htmlhxxp://masoncerbone.com/wp-content/plugins/zeeyseapoee/atbilred.htmlhxxp://deafplus.us/wp/wp-content/plugins/zfoorahmuib/atbilred.htmlhxxp://hexbugnano.co.uk/wp-content/plugins/zexjtehgupg/atbilred.htmlhxxp://ecmconnection.com.br/banners/atbilred.html

Client-side exploits serving URL: hxxp://advancementwowcom.org/main.php?page=19152be46559e39d

Client-side exploits served: CVE-2010-1885

Upon successful client-side exploitation, the campaigns drops MD5: c497b4d6dfadd4609918282cf91c6f4e on the infected hosts, currently detected by 19 out of 41 antivirus scanners as Trojan.Generic.KD.687203; W32/Cridex-Q.

Once executed, the sample phones back to hxxp://87.204.199.100:8080/mx5/B/in/. We’ve already seen the same command and control served used in several malware-serving campaigns, namely, the Craigslist spam campaign, the PayPal spam campaign, the eBay spam campaign, and the American Airlines themed spam campaign.

As we already predicted, cybercriminals will continue rotating popular brands, introduce new email templates, and newly undetected pieces of malware in an attempt to achieve a higher click-through rate for their malicious campaigns.

AT&T outlines this threat on their site.

Webroot SecureAnywhere users are proactively protected from this threat.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.

Blog Staff

About the Author

Blog Staff

The Webroot blog offers expert insights and analysis into the latest cybersecurity trends. Whether you’re a home or business user, we’re dedicated to giving you the awareness and knowledge needed to stay ahead of today’s cyber threats.

Share This