01:39 PM

Update: AT&T Hackers Devised Elaborate Phishing Scam To Dupe Customers

Details of the AT&T hack are beginning to emerge. It was pulled off by identity thieves who used a bogus Web site and convincing e-mails in an attempt to fool the telecom vendor's customers.

It wasn't enough for hackers who hit AT&T's DSL equipment sales Web site to simply make off with some customer information; they've been using those stolen names, e-mail addresses, and credit card numbers to launch especially convincing phishing attacks against those victims. The phishing site set up by the hackers incorporates this stolen customer data in an effort to convince AT&T customers to divulge additional sensitive information, including Social Security numbers.

AT&T says it has already alerted the nearly 19,000 customers whose information was compromised about the phishing scam and directed them to an AT&T Yahoo help page. This page notes that AT&T customers are being targeted by a new phishing scam from the Web site. The actual address for AT&T's DSL equipment site is (not .org). A visit to the AT&T site on Friday revealed a message stating, "We apologize for the inconvenience, but our website is experiencing difficulties at this time."

The phishing scam was setup like this: Attackers sent AT&T customers e-mails advising them that their recent credit card transaction at the SBC DSL store was rejected because of incomplete information on their account. Customers were then directed to the bogus URL to update their account information, including birth date and Social Security number. AT&T states explicitly on its AT&T Yahoo help page that the company does not request credit card, Social Security number, or other sensitive personal information through e-mail.

AT&T hasn't released information about how the site was hacked on Aug. 26. It's hosted by an outside company that AT&T has not identified. AT&T is working with its own internal forensic experts as well as law enforcement to analyze the attack, a company spokesman says. The company says the attack was discovered within hours of its launch and the affected site was shut down. In a statement, it attributes the motive to a criminal market for illegally obtained personal information. The statement did not, however, mention the subsequent phishing attack.

The phishing scam adds insult to injury for AT&T customers, particularly because the stolen data used to personalize the phish made the e-mail seem fairly convincing. The best response is to be guided by common sense. "E-mail should inherently be distrusted," says Nick Selby, senior enterprise security analyst with research and analyst firm 451 Group. Beyond common sense, there are anti-phishing software packages that companies can deploy to block suspected phishing e-mails and other spam. This type of software can detect suspicious network messages, "such as if there's a mismatch between a domain name and an IP address," Selby adds.

Comment  | 
Print  | 
More Insights
Register for InformationWeek Newsletters
White Papers
Current Issue
Increasing IT Agility and Speed To Drive Business Growth
Learn about the steps you'll need to take to transform your IT operation and culture into an agile organization that supports business-driving initiatives.
Twitter Feed
InformationWeek Radio
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.