Submit to DiggSubmit to FacebookSubmit to Google PlusSubmit to StumbleuponSubmit to Twitter

This is another fake AT&T notification email that claims to have a payment confirmation for you attached.

Other emails in the spoofed payvesupport@ aexp.com series:

The attachment is a virus.

Text version:


Subject: AT&T online payment confirmation

AT&T payment confirmation
Dear Valued Customer,

Thank you for using AT&T online payments.

You submitted the following payment(s) for your account.

Payment Method     Confirmation     Payment Date     Amount
BankDraft     ZLLW3LH2512FH03     03/18/2013     $1403.28


For more information about payment please see the attachment.

Thank you,
AT&T Online Services
www.att.com/smallbusiness

 


 

Picture Version:

 

 


 

Headers samples:

They are using the spoofed payvesupport @ aexp.com address from a previous spam campaign:

Received: from AEXP.COM ([199.72.168.80])
   X-Barracuda-Envelope-From: PAYVESUPPORT @ AEXP.COM
Received: from c-24-118-137-49.hsd1.mn.comcast.net [24.118.137.49] X-Barracuda-Envelope-From: PAYVESUPPORT @ AEXP.COM
Received: from AEXP.COM ([5.201.227.4]) X-Barracuda-Envelope-From: PAYVESUPPORT @ AEXP.COM
Received: from AEXP.COM (dsl-189-152-211-184-dyn.prod-infinitum.com.mx [189.152.211.184] X-Barracuda-Envelope-From: PAYVESUPPORT @ AEXP.COM
Received: from firewall.synmicro.com [209.12.104.146] X-Barracuda-Envelope-From: PAYVESUPPORT @ AEXP.COM
Received: from c-174-52-154-254.hsd1.ut.comcast.net [174.52.154.254] X-Barracuda-Envelope-From: PAYVESUPPORT @ AEXP.COM
Received: from host1.zumaque.com [200.75.155.226] X-Barracuda-Envelope-From: PAYVESUPPORT @ AEXP.COM
Received: from 173-247-161-242.static-ip.telepacific.net [173.247.161.242] X-Barracuda-Envelope-From: PAYVESUPPORT @ AEXP.COM
Received: from host-192-144-230-24.midco.net [24.230.144.192] X-Barracuda-Envelope-From: PAYVESUPPORT @ AEXP.COM

The virus attachment:

This particular version (I'm sure there are many), has an md5sum of bd357f51a1d6136d95b257fb4f02611d

https://www.virustotal.com/en/file/39e1ae3c00e8c17f76f0c80e8c481e6c5ee512bd85bc739fcac48114438fb668/analysis/1363621266/

MicroWorld-eScan     Trojan.Generic.KDZ.11234     20130318
BitDefender     Trojan.Generic.KDZ.11234     20130318
GData     Trojan.Generic.KDZ.11234     20130318
Ikarus     Trojan-PWS.Win32.Fareit     20130318
McAfee     Ransom-FBGF!BD357F51A1D6
Malwarebytes     Malware.Packer.SGX4
F-Prot     W32/Trojan3.EYN
Kaspersky     Trojan-PSW.Win32.Tepfer.hhul

.... and much much more.

 

Song playing when article was written: Definite Choice by 7Seconds.

If this was at least a little helpful, how about a +1, Like, or Tweet?

{jcomments on}