Mark Berry August 2, 2012
Got a pretty realistic-looking AT&T billing notice this morning. So how to tell it’s phony? Well beside the fact that I’ve never had a $634 phone bill, all you have to do (if you’re using Outlook) is hover the mouse over various links in the email and you’ll see that they do not point to AT&T sites.
Don’t click on the links, and don’t right-click to download pictures.
I checked one of the links at www.virustotal.com and it came back clean. So I used an isolated test machine to view the link. Here is what it showed:
The HTML behind this page looked clean. So at this point it looks like this is in “proof-of-concept” phase, where the spammer is just sending out the phony bills, testing which links get the most clicks, etc. Or it could be that it serves different content to different browsers so that it might send malicious code to a cell phone, for example, but not to a PC. Of course at any time, they could change the web site to host viruses or phishing pages, so don’t click on the links!
By the way, localdialogue.info is registered in Indonesia and is currently hosted by Hostgator in Houston, TX (IP 126.96.36.199). The email appears to have come from Saudi Arabia (IP 188.8.131.52).