Sponsored by..

Thursday, 2 August 2012

"Pay your AT&T bill online" spam / unboxhibernation.org

This fake AT&T spam leads to malware on unboxhibernation.org:

 From: Tonya Bates [mailto:robot@craigslist.org]
Sent: 02 August 2012 14:08
Subject: Pay your AT&T bill online
Importance: High

att.com | Support | My AT&T Account

Your online bill is ready to be downloaded
Dear Valued Customer,

A new bill for your AT&T account is ready.

Any operations completed after your bill period expires will not be reflected in the bill amount listed directly below. If you have made a recent payment, please refer to the current balance on the Account Overview and the Bill & Payments pages.
Service     Account ending in     Bill Amount     Due Date
Home Phone     6     $355.26     08/06/2012

Log in to online account management to view your bill and bill notices, maintain your email account or make a payment. If you are not registered for online account management, you must do so to view and print your full bill and bill notices at www.att.com/managemyaccount.
Log in to online account management to view your bill, maintain your email account or make a payment.

Thank you for choosing AT&T. We value your business and look forward to serving you!

Thank you,
AT&T Online Services

Contact Us
AT&T Support - quick & easy support is available 24/7.


Moving Soon?
Stay connected with AT&T. Visit us online at att.com/move.

AT&T Online Services
Get more time to do what you want. What would you do?
 Show me how

    Automatic Payments
Save time and pay your monthly bill automatically!
 Sign up now

    Special Offers
Visit our Special Offers to check out our best promotions.
 Learn more

Online Information
AT&T Community
Home Phone
Special Offers

All replies are automatically deleted. For questions regarding this message, refer to the contact information listed above.

2012 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners.
Privacy Policy

The malicious payload is at [donotclick]unboxhibernation.org/main.php?page=19152be46559e39d (report here) hosted on (CYTA Hellas, Greece) which also hosts the apparently legitimate site infosector.gr, although some DNS results are coming back with in China instead.. and this IP address is definitely malicious as it contains the following malware domains:


Blocking both IPs may well be prudent.

Also, the following nameservers are indicative of an evil host, keep an eye out for them..


No comments: