AT&T Impersonated in Malware Download Attack

May 21, 2020

It’s common practice for companies to send notification emails with purchase receipts and tracking information, especially for purchases that are on the expensive side. However, for individuals who have not made recent purchases, this can be alarming, as these emails could signal fraudulent charges to the user’s credit card.

In this case, an attacker spoofed a notification email from AT&T. The goals was to encourage the target to investigate these charges, and by doing so, to inadvertently download malware.

Summary of Attack Target

  • Platform: Microsoft Office 365
  • Email Security Bypassed: FireEye
  • Victims: Employees
  • Payload: Malware
  • Technique: Spoofed Email + Impersonation

Overview of AT&T Impersonation Malware Attack

The email appears to be an automated notification regarding the order status of a recent purchase. The sender email looks like it comes from an authentic AT&T email address, and the images embedded in the body are the same as those used by the brand. However, checking the header IPs of the email, we are able to verify that the sender information is spoofed. We would expect the IP of an authentic email from AT&T to come from AT&T. This email, however, originated from an IP address in Ghana.

The email contains a link claiming to be the order details of the transaction. However, clicking on the link automatically downloads a .jar file that contains malware. The download is hosted at a site that is commonly used to store various malware downloads.

Should recipients fall victim to this attack, their device would be infected with malware. This would allow the attacker to steal sensitive personal information and potentially hijack the user’s device.

Why the AT&T Impersonation Malware Attack is Effective

The sender email was spoofed to impersonate a legitimate email address used by AT&T Wireless to send tracking notifications to customers. The email body itself perfectly matched legitimate emails sent by this AT&T email address—the formatting, the embedded images, and the content were identical. The only differences were the links attached to the email. The attacker anticipates that since the sender and the email appear authentic, recipients would be less suspicious of the downloaded malware file.

In addition, the malware URL is wrapped with text in the email body in order to conceal the link used by the attacker. The link directs to a download hosted at a page the attacker likely controls which is not affiliated with AT&T.

Abnormal can detect this attack as a result of a variety of factors. Most notably, DMARC email authentication fails for the sending address, and the sender has never before sent to anyone within the organization. Furthermore, content analysis shows that there is a suspicious link and that the message appears to come from an automated system, which is common method of email attack.

To discover more about how Abnormal can protect your organization from malware and other advanced attacks, see a demo today.

Blog yellow neon sign
Due to recent quarantine restrictions, companies have moved to online collaboration software and cloud-based applications. Despite the benefits of convenience and increased productivity from the use of cloud computing services, user accounts for these services...
Read More
Blog yellow tunnel
Vendor email compromise, in which a compromised vendor sends invoice or payment attacks to their customers, is growing in popularity. An easier to detect method of this attack happens when a vendor is impersonated, rather than compromised. In this attack, the...
Read More

Related Posts

Blog engineering cybersecurity careers
Cybersecurity Careers Awareness Week is a great opportunity to explore key careers in information security, particularly as there are an estimated 3.1 million unfilled cybersecurity jobs. This disparity means that cybercriminals are taking advantage of the situation, sending more targeted attacks and seeing greater success each year.
Read More
Blog hiring cybersecurity leaders
As with every equation, there are always two sides and while it can be easy to blame users when they fall victim to scams and attacks, we also need to examine how we build and staff security teams.
Read More
Cover automated ato
With an increase in threat actor attention toward compromising accounts, Abnormal is focused on protecting our customers from this potentially high-profile threat. We are pleased to announce that our new Automated Account Takeover (ATO) Remediation functionality is available.
Read More
Email spoofing cover
Email spoofing is a common form of phishing attack designed to make the recipient believe that the message originates from a trusted source. A spoofed email is more than just a nuisance—it’s a malicious communication that poses a significant security threat.
Read More
Cover cybersecurity month kickoff
It’s time to turn the page on the calendar, and we are finally in October—the one month of the year when the spooky becomes reality. October is a unique juncture in the year as most companies are making the mad dash to year-end...
Read More
Ices announcement cover
Abnormal ICES offers all-in-one email security, delivering a precise approach to combat the full spectrum of email-borne threats. Powered by behavioral AI technology and deeply integrated with Microsoft 365...
Read More
Account takeover cover
Account takeovers are one of the biggest threats facing organizations of all sizes. They happen when cybercriminals gain legitimate login credentials and then use those credentials to send more attacks, acting like the person...
Read More
Blog podcast green cover
Many companies aspire to be customer-centric, but few find a way to operationalize customer-centricity into their team’s culture. As a 3x SaaS startup founder, most recently at Orum, and a veteran of Facebook and Palantir, Ayush Sood...
Read More
Blog attack atlassian cover
Credential phishing links are most commonly sent by email, and they typically lead to a website that is designed to look like common applications—most notably Microsoft Office 365, Google, Amazon, or other well-known...
Read More
Blog podcast purple cover
Working at hyper-growth startups usually means that unreasonable expectations will be thrust on individuals and teams. Demanding timelines, goals, and expectations can lead to high pressure, stress, accountability, and ultimately, extraordinary growth and achievements.
Read More
Blog yellow skyline
No one wants to receive an email from human resources that they aren’t expecting. After all, that usually means bad news. And when we think there may be bad news, cybersecurity training tends to fall by the wayside. Threat actors know this, and they’re taking advantage of human emotions.
Read More
Blog rising building
There is little doubt that business email compromise and other advanced email threats are causing significant damage–both financial and reputational—to organizations worldwide. Because these never-before-seen attacks contain few indicators of compromise, they evade secure email gateways and other traditional email infrastructure...
Read More