Powered by Movable Type 3.121
Home The Book Training Events Tools Stats
Web log archive.
A Dispatch

« Fake USPS Notification Ups the Ante | Main | Irresponsible Domain Name Management »

May 14, 2012

Fake AT&T Wireless Bill Notification

If you are an AT&T wireless customer (like me), you probably receive legitimate email notices each month when your wireless bill is ready to be viewed online. I don't keep track of when in the month the notice is sent, so when a notice arrived in my inbox this morning claiming to be from AT&T Customer Care with a Subject: line of "Your AT&T wireless bill is ready to view", I took a peek:

Convincing, but fake AT&T wireless bill notice

I have a low-end plan (I don't talk much), so my bills are regularly well under $100 per month. Imagine my surprise at the claimed balance of over $1500. The sender hoped I'd be outraged enough to click immediately on the live links to log in to see where all the big charges came from. Unfortunately for the sender, when I see an outrageous email from one of my suppliers, I immediately smell a rat. Before clicking anything, I check the URL of the link (a mouse hover atop the link typically displays a tooltip revealing the actual URL of the link). The links in this email were not going to any AT&T web site, but rather to a hijacked site, which, upon further safe inspection of the content, loads the old obfuscated JavaScript stuff reported many times on this blog as malware loaders.

Other readily visible clues that this message is phony baloney include failure to address the recipient by name and to specify the account number in the first paragraph. It's not easy, however, to remember how each of your vendors addresses you in their regular emails. Most include your name somewhere, but not always.

Further inspecting the innards of the message, I see that the crooks tried to forge the headers to look like the message originated from an AT&T mail server. At the final stage of the header trail, however, the reverse IP address lookup performed by my mail server failed to resolve to a domain name. Legitimate AT&T emails to customers also employ a domain key signature.

You have to keep telling yourself (and your friends and neighbors) that when you receive an email message (even from someone you know) that contains anything outrageous, route your adrenalin to your rat-sniffing faculties, not your clicking finger. Clicking a link or opening an attachment in such emails may be the last thing you do with your computer before it — and all your valuable data and login credentials — fall into the hands of Bad Guys.

Posted on May 14, 2012 at 10:50 AM