Skip to content

Fake Huge Phone Bill Mal-Links to Another Level

2012-04-11

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

20120405_attbill_spam_h_cropIf this doesn’t demonstrate some of the more harmful risks posed by compromise of FTP credentials, I don’t know what will. A spam email that’s been circulating since the beginning of the month leads unwary victims not to one or two traps, but nineteen different URLs, all pointing to legitimate Web sites that have been compromised, and (at the time, anyway) hosted malicious content.

The spam poses as an AT&T bill for $920.30, and seems engineered to inspire the classic freakout reaction from the recipient. As a con, it wouldn’t work so well if it wasn’t a plausible scenario. Who hasn’t received one of those panic-moment mobile bills at one time or another?

Within a day, the dangerous links were shut down, but their variety and quantity in a single – and to be honest, kind of terse – email surprised me. As you can see from the screenshot, hotlinked text throughout the message body leads the recipient to believe the links point to various parts of the AT&T Web site. In fact, they point to myriad others.

The compromised Web sites don’t share much in common; While it didn’t appear that any were registered by the same organization or person, most had addresses in Latin America or Spain in their WHOIS information. All hosted an identical exploit kit delivering a Zbot payload.

While it appears, at first, that the malware distributors generated random folder names for their traps, in fact there’s a pattern of repetition of some of the directory names.

Zbot steals any stored FTP credentials, and can turn a victim’s legitimate Web site into an online pariah with no warning, weeks or months after the compromise. Assuming desktops will be compromised, an IT admin might consider ramping up the rate at which the server requires users to change credentials to every 60 or even 30 days. At least that narrows the window of opportunity for stolen passwords to be used. Solera blog stats

Comments are closed.

%d bloggers like this: