Blackhole Exploit Kit Used by Fake AT&T Emails to Install Malware Under the Antimalware Radar

Phishing emails are not much different from spam messages as they both serve a purpose of swindling PC users to the point that they either click on a malicious link or download/install a malicious application.

The most recent identified phishing scam, purported to come from AT&T, attempts to inform the recipient that their new bill is ready to view (example in Figure 1 below). Probably the most disturbing part about this phishing message, is that it is almost an exact copy of legitimate AT&T emails commonly sent to customers to simply make them aware that their upcoming bill is ready to be viewed.

Figure 1. Fake vs. Real AT&T 'Your bill is ready to view' message examples (image source: resourcesforlife.com)

The noticable differences in a real AT&T 'Your bill is ready to view' email versus the fake phishing message, is the account number and customer name is listed on the real email. On the fake AT&T 'Your bill is ready to view' email, it utilizes a due dollar amount and simply greets the user as 'Dear Customer'.

Naturally, when you receive an email about an upcoming bill, you will want to first make sure you have the funds to pay it. Secondly, you will probably click on the link within the email to quickly load your online bill-pay site. In the case of the AT&T phishing 'your bill is ready to view' message, the links provided within the message redirects users to a site hosting the Blackhole exploit kit.

The Blackhole exploit kit is a self-contained crimeware kit, once sold for about $1,500 for an annual license. The particular Blackhole exploit kit found on the AT&T phishing email link's redirected site, is one that exploits vulnerabilities within a PC user's web browsers. The malicious site, containing the Blackhole exploit kit, is hosted on a compromised server.

Loading the Blackhole exploit kit, usually performed when the site redirection happens, will essentially download malware onto the computer. This particular malware, found to be new threats not detected by antivirus or antimalware software, may inject itself into running processes where it will contact a remote server found to be part of a botnet. Researchers from Websense, have contemplated over the idea that the attack looks like it is a variant of the infamous Zeus family of malware.

We reported on many occasions of the dangers that come with Zeus in it being an aggressive botnet formed to target financial institutions bypassing detection.

Let's not forget that this particular AT&T phishing campaign starts off with a very convincing spam email message. With such a threat having the consequences of infecting PCs with a botnet, all at the hands of the Blackhole exploit kit doing what it was originally conceived to do, we may be looking at another takeover by a botnet. In such a case, PCs becoming infected from this bogus AT&T 'your bill is ready to view' phishing message, a massive botnet (group of infected and compromised computers) could be formed to carry out a plethora of malicious actions over the internet. Who knows, this could be the next Conficker-type botnet in the making.