Malware Concept - Eye Behind Word Malware
Home Malware Fake AT&T Bill Emails Point To Malware

Fake AT&T Bill Emails Point To Malware

by Brett M. Christensen


Email purporting to be from phone service provider AT&T claims that the recipient’s bill is ready for viewing. The recipient is urged to click a Login button to access the bill online. 

Brief Analysis

The email is not from AT&T and it is not a genuine bill notification. Links in the message open a compromised website that automatically redirects users to other websites that harbour malware in the form of the Blackhole exploit kit.


Subject: Your AT&T Bill is ready to be viewed

Your online bill is ready to be viewed

Dear Valued Customer,

A new bill for your AT&T account is ready.

Any payments completed after your bill period expires will not be shown in the bill amount listed directly below. If you have made a recent payment, please refer to the current balance on the Account Overview and the Bill & Payments pages.

Service | Account ending in | Bill Amount | Due Date
Home Phone | {Let:0 | $830.65 | 08/06/2012

Log in to online account management to view your bill and bill notices, maintain your email account or make a payment. If you are not registered for online account management, you must do so to view and print your bill and bill notices at Log in to online account management to view your bill, maintain your email account or make a payment.

[Link Removed]

Thank you for choosing AT&T. We value your business and look forward to serving you!

Thank you
AT&T Online Services

Contact Us
AT&T Support – quick & easy support is available 24/7.

Moving Soon?
Saty Connected with AT&T. Visit us online

ATandT Malware Emails


Detailed Analysis

This email, which appears as though it was sent by multinational telecommunications giant AT&T, claims that new bill for phone service is ready for viewing online. The email instructs recipients to click a “Log In” button to access AT&T’s online account management system to view the bill.

However, the email is not from AT&T and is not a genuine bill notification. The email is part of a criminal campaign to trick users into allowing malware to be installed on their computers. Those who click the “Log In” button in the email will be taken not to the AT&T website as they expect, but rather to a compromised website that further redirects them to a page that harbours a version of the Blackhole exploit kit. BlackHole is a web application used by criminals to exploit browser vulnerabilities as a means of downloading and installing trojans and other types of malware.
This attack is quite sophisticated, and according to Websense Security Labs, more than 200,000 of the fake emails may have already been distributed. The email comes complete with seemingly legitimate AT&T graphics and formatting. Those responsible for the attack hope that users, concerned at receiving a bill for such a large amount of money, will click the link without due forethought.

This campaign is very similar to earlier malware attacks including an April 2012 attack that consisted of fake bill emails claiming to be from Verizon Wireless. The Verizon variant also directed victims to compromised websites that contained the Blackhole exploit kit.

If you receive one of these bogus bill notification emails, do not click on any links or open any attachments that it may contain. When checking online accounts, it is always safest to access the account by entering its web address into your browser rather than by clicking links in an email. Also, always ensure that the latest security updates for your browser and operating system are installed on your computer and that you have up-to-date antivirus and anti-malware protection.

Importance Notice

After considerable thought and with an ache in my heart, I have decided that the time has come to close down the Hoax-Slayer website.

These days, the site does not generate enough revenue to cover expenses, and I do not have the financial resources to sustain it going forward.

Moreover, I now work long hours in a full-time and physically taxing job, so maintaining and managing the website and publishing new material has become difficult for me.

And finally, after 18 years of writing about scams and hoaxes, I feel that it is time for me to take my fingers off the keyboard and focus on other projects and pastimes.

When I first started Hoax-Slayer, I never dreamed that I would still be working on the project all these years later or that it would become such an important part of my life. It's been a fantastic and engaging experience and one that I will always treasure.

I hope that my work over the years has helped to make the Internet a little safer and thwarted the activities of at least a few scammers and malicious pranksters.

A Big Thank You

I would also like to thank all of those wonderful people who have supported the project by sharing information from the site, contributing examples of scams and hoaxes, offering suggestions, donating funds, or helping behind the scenes.

I would especially like to thank David White for his tireless contribution to the Hoax-Slayer Facebook Page over many years. David's support has been invaluable, and I can not thank him enough.

Closing Date

Hoax-Slayer will still be around for a few weeks while I wind things down. The site will go offline on May 31, 2021. While I will not be publishing any new posts, you can still access existing material on the site until the date of closure.

Thank you, one and all!

Brett Christensen,