Friday, December 23, 2011

An AT&T Phishing Expedition

A friend of mine once had his e-mail through a (now long-defunct) organization called flash.net (How many of you even knew such an outfit existed!?) He also had his web hosting through them. The e-mail address continued to be active even as flash.net was bought out by others including Prodigy and (most recently, even though that was years ago) AT&T.

This year, AT&T decided it didn't want to support these "legacy" accounts any more. They notified everyone their web hosting support was going to end. With plenty of warning, my friend moved his web hosting to another organization — after verifying that the e-mail account (which had long since been passed to yahoo) would be unaffected.

Then, this week, he received a very suspicious e-mail, reproduced here:

---LAST WARNING---
Tuesday, December 20, 2011 12:18 PM
From: "AT&T Mail Service" <bardgym@bellsouth.net>
This sender is DomainKeys verified
To: undisclosed-recipients







Due to the congestion in all flash users and removal
of all unused flash Accounts, flash .net would be
shutting down all unused Accounts, You will have to
confirm your E-mail by filling out your Login
Information below after clicking the reply button,

* User name:

* Password:

* Date of Birth:

* Country Or Territory:

After following the instructions in the sheet, your
account will not be interrupted and will continue as
normal. Thanks for your attention to this request.
We apologize for any inconveniences.

Warning!!!: Account owner that refuses to update
his/her account after three days of receiving this
warning stands the risk of losing his or her account
permanently.




No virus found in this incoming message.
Checked by AVG - www.avg.com
Version: 8.5.449 / Virus Database: 271.1.1/3768 -
Release Date: 07/16/11 06:56:00
Given the level of attention AT&T had previously given to former flash.net users, he figured they might not be aware of these messages. He figured he ought to tell them about what he'd received. He went to the att.com pages and found where a sub-page said to report security concerns. He forwarded the suspicious message to them at the e-mail address identified there. His message said:
Thought you should know about this.
(Just in case you didn't already.)

The message bounced. He checked some more and, figuring it was just a glitch, re-sent it like this:

Thought you should know about this.  (Just in case you didn't already.)

secure@att.com is the address identified to use for this purpose on the
web page http://www.att.com/gen/general?pid=19318
Once again, his message bounced. Once again, he got a message like this:
Failure Notice
Tuesday, December 20, 2011 4:55 PM
From: "MAILER-DAEMON@yahoo.com"
This sender is DomainKeys verified

Sorry, we were unable to deliver your message to the
following address.

<secure@att.com>: Remote host said: 553 information.
(#5.7.1) [BODY]

--- Below this line is a copy of the message.

I'm not sure what this means. But if the e-mail address AT&T advertises for reporting security issues doesn't work, that seems to say AT&T doesn't really want to know about them.

No comments: