From: Tonya Bates [mailto:email@example.com]
Sent: 02 August 2012 14:08
Subject: Pay your AT&T bill online
att.com | Support | My AT&T Account
Your online bill is ready to be downloaded
Dear Valued Customer,
A new bill for your AT&T account is ready.
Any operations completed after your bill period expires will not be reflected in the bill amount listed directly below. If you have made a recent payment, please refer to the current balance on the Account Overview and the Bill & Payments pages.
Service Account ending in Bill Amount Due Date
Home Phone 6 $355.26 08/06/2012
Log in to online account management to view your bill and bill notices, maintain your email account or make a payment. If you are not registered for online account management, you must do so to view and print your full bill and bill notices at www.att.com/managemyaccount.
Log in to online account management to view your bill, maintain your email account or make a payment.
Thank you for choosing AT&T. We value your business and look forward to serving you!
AT&T Online Services
AT&T Support - quick & easy support is available 24/7.
Stay connected with AT&T. Visit us online at att.com/move.
AT&T Online Services
Get more time to do what you want. What would you do?
Show me how
Save time and pay your monthly bill automatically!
Sign up now
Visit our Special Offers to check out our best promotions.
PLEASE DO NOT REPLY TO THIS MESSAGE
All replies are automatically deleted. For questions regarding this message, refer to the contact information listed above.
2012 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners.
The malicious payload is at [donotclick]unboxhibernation.org/main.php?page=19152be46559e39d (report here) hosted on 18.104.22.168 (CYTA Hellas, Greece) which also hosts the apparently legitimate site infosector.gr, although some DNS results are coming back with 22.214.171.124 in China instead.. and this IP address is definitely malicious as it contains the following malware domains:
Blocking both IPs may well be prudent.
Also, the following nameservers are indicative of an evil host, keep an eye out for them..