AT&T online payment confirmation - fake email with virus

Submit to DeliciousSubmit to DiggSubmit to FacebookSubmit to Google PlusSubmit to StumbleuponSubmit to TechnoratiSubmit to LinkedInSubmit to Twitter

This is another fake AT&T notification email that claims to have a payment confirmation for you attached.

Other emails in the spoofed payvesupport@ aexp.com series:

The attachment is a virus.

Text version:


Subject: AT&T online payment confirmation

AT&T payment confirmation
Dear Valued Customer,

Thank you for using AT&T online payments.

You submitted the following payment(s) for your account.

Payment Method     Confirmation     Payment Date     Amount
BankDraft     ZLLW3LH2512FH03     03/18/2013     $1403.28


For more information about payment please see the attachment.

Thank you,
AT&T Online Services
www.att.com/smallbusiness

 


 

Picture Version:

 

 


 

Headers samples:

They are using the spoofed payvesupport @ aexp.com address from a previous spam campaign:

Received: from AEXP.COM ([199.72.168.80])
   X-Barracuda-Envelope-From: PAYVESUPPORT @ AEXP.COM
Received: from c-24-118-137-49.hsd1.mn.comcast.net [24.118.137.49] X-Barracuda-Envelope-From: PAYVESUPPORT @ AEXP.COM
Received: from AEXP.COM ([5.201.227.4]) X-Barracuda-Envelope-From: PAYVESUPPORT @ AEXP.COM
Received: from AEXP.COM (dsl-189-152-211-184-dyn.prod-infinitum.com.mx [189.152.211.184] X-Barracuda-Envelope-From: PAYVESUPPORT @ AEXP.COM
Received: from firewall.synmicro.com [209.12.104.146] X-Barracuda-Envelope-From: PAYVESUPPORT @ AEXP.COM
Received: from c-174-52-154-254.hsd1.ut.comcast.net [174.52.154.254] X-Barracuda-Envelope-From: PAYVESUPPORT @ AEXP.COM
Received: from host1.zumaque.com [200.75.155.226] X-Barracuda-Envelope-From: PAYVESUPPORT @ AEXP.COM
Received: from 173-247-161-242.static-ip.telepacific.net [173.247.161.242] X-Barracuda-Envelope-From: PAYVESUPPORT @ AEXP.COM
Received: from host-192-144-230-24.midco.net [24.230.144.192] X-Barracuda-Envelope-From: PAYVESUPPORT @ AEXP.COM

The virus attachment:

This particular version (I'm sure there are many), has an md5sum of bd357f51a1d6136d95b257fb4f02611d

https://www.virustotal.com/en/file/39e1ae3c00e8c17f76f0c80e8c481e6c5ee512bd85bc739fcac48114438fb668/analysis/1363621266/

MicroWorld-eScan     Trojan.Generic.KDZ.11234     20130318
BitDefender     Trojan.Generic.KDZ.11234     20130318
GData     Trojan.Generic.KDZ.11234     20130318
Ikarus     Trojan-PWS.Win32.Fareit     20130318
McAfee     Ransom-FBGF!BD357F51A1D6
Malwarebytes     Malware.Packer.SGX4
F-Prot     W32/Trojan3.EYN
Kaspersky     Trojan-PSW.Win32.Tepfer.hhul

.... and much much more.

 

Song playing when article was written: Definite Choice by 7Seconds.

If this was at least a little helpful, how about a +1, Like, or Tweet?

Submit to DeliciousSubmit to DiggSubmit to FacebookSubmit to Google PlusSubmit to StumbleuponSubmit to TechnoratiSubmit to LinkedInSubmit to Twitter

Found something bad?

Do your part to clean it up!

Report malicious links to:

StopBadware.org

Report phishing links to:

Google Safebrowsing - Phishing

Netcraft Anti-Phishing

Send Virus Samples to:

Clam AV Database

Microsoft Anti-Malware DB

But most importantly:

Follow THL on Twitter

 

Submitting an email to THL

Submissions welcome!

 j (a-t) techhelplist (d-o-t) com

password zips with "slick-banana"

Some other GREAT resources

StopMalvertising

MyOnlineSecurity