Watch out for AT&T rewards phishing text that wants your personal details
嗯,用户让我总结这篇文章的内容,控制在100字以内,而且不需要用“文章内容总结”之类的开头。首先,我得通读一下文章,抓住主要信息。 文章讲的是一个针对AT&T客户的钓鱼攻击。攻击者伪造了AT&T的短信,声称用户的奖励积分即将过期,诱导用户点击链接。链接指向一个看起来像AT&T官网的钓鱼网站,用户会被要求输入个人信息和信用卡信息。 接下来,文章详细描述了钓鱼网站的结构和攻击手法,包括如何通过紧迫感和恐惧心理来诱骗用户。攻击者使用了先进的前端验证代码来确保收集到的数据完整无误,并且将数据发送到他们的服务器上。 最后,文章给出了防范建议,比如检查链接、启用多因素认证、使用防恶意软件工具等。 现在,我需要把这些要点浓缩到100字以内。要确保涵盖攻击手段、钓鱼网站的特点、数据窃取方式以及防范措施。同时保持语言简洁明了。 可能的结构是:介绍攻击类型、目标、诱骗手段、数据窃取方法以及防范建议。这样既全面又简洁。 </think> 这篇文章描述了一起针对AT&T客户的复杂钓鱼攻击。攻击者通过伪造AT&T短信通知用户奖励积分即将过期,并诱导点击链接进入仿冒网站。该网站不仅复制了AT&T的真实页面,还通过虚假的积分兑换流程收集用户的敏感信息和信用卡数据。文章还分析了攻击的技术细节和防范建议。 2026-1-27 17:43:47 Author: www.malwarebytes.com(查看原文) 阅读量:3 收藏

A coworker shared this suspicious SMS where AT&T supposedly warns the recipient that their reward points are about to expire.

Phishing attacks are growing increasingly sophisticated, likely with help from AI. They’re getting better at mimicking major brands—not just in look, but in behavior. Recently, we uncovered a well-executed phishing campaign targeting AT&T customers that combines realistic branding, clever social engineering, and layered data theft tactics.

In this post, we’ll walk you through the investigation, screen by screen, explaining how the campaign tricks its victims and where the stolen data ends up.

This is the text message that started the investigation.

“Dear Customer,
Your AT&T account currently holds 11,430 reward points scheduled to expire on January 26, 2026.
Recommended redemption methods:
– AT&T Rewards Center: {Shortened link}
– AT&T Mobile App: Rewards section
AT&T is dedicated to serving you.”

The shortened URL led to https://att.hgfxp[.]cc/pay/, a website designed to look like an AT&T site in name and appearance.

All branding, headers, and menus were copied over, and the page was full of real links out to att.com.

But the “main event” was a special section explaining how to access your AT&T reward points.

After “verifying” their account with a phone number, the victim is shown a dashboard warning that their AT&T points are due to expire in two days. This short window is a common phishing tactic that exploits urgency and FOMO (fear of missing out).

The rewards on offer—such as Amazon gift cards, headphones, smartwatches, and more—are enticing and reinforce the illusion that the victim is dealing with a legitimate loyalty program.

To add even more credibility, after submitting a phone number, the victim gets to see a list of available gifts, followed by a final confirmation prompt.

At that point, the target is prompted to fill out a “Delivery Information” form requesting sensitive personal information, including name, address, phone number, email, and more. This is where the actual data theft takes place.

The form’s visible submission flow is smooth and professional, with real-time validation and error highlighting—just like you’d expect from a top brand. This is deliberate. The attackers use advanced front-end validation code to maximize the quality and completeness of the stolen information.

Behind the slick UI, the form is connected to JavaScript code that, when the victim hits “Continue,” collects everything they’ve entered and transmits it directly to the attackers. In our investigation, we deobfuscated their code and found a large “data” section.

The stolen data gets sent in JSON format via POST to https://att.hgfxp[.]cc/api/open/cvvInterface.

This endpoint is hosted on the attacker’s domain, giving them immediate access to everything the victim submits.

What makes this campaign effective and dangerous

  • Sophisticated mimicry: Every page is an accurate clone of att.com, complete with working navigation links and logos.
  • Layered social engineering: Victims are lured step by step, each page lowering their guard and increasing trust.
  • Quality assurance: Custom JavaScript form validation reduces errors and increases successful data capture.
  • Obfuscated code: Malicious scripts are wrapped in obfuscation, slowing analysis and takedown.
  • Centralized exfiltration: All harvested data is POSTed directly to the attacker’s command-and-control endpoint.

How to defend yourself

A number of red flags could have alerted the target that this was a phishing attempt:

  • The text was sent to 18 recipients at once.
  • It used a generic greeting (“Dear Customer”) instead of personal identification.
  • The sender’s number was not a recognized AT&T contact.
  • The expiration date changed if the victim visited the fake site on a later date.

Beyond avoiding unsolicited links, here are a few ways to stay safe:

  • Only access your accounts through official apps or by typing the official website (att.com) directly into your browser.
  • Check URLs carefully. Even if a page looks perfect, hover over links and check the address bar for official domains.
  • Enable multi-factor authentication for your AT&T and other critical accounts.
  • Use an up to date real-time anti-malware solution with a web protection module.

Pro tip: Malwarebytes Scam Guard recognized this text as a scam.

We don’t just report on scams—we help detect them

Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if it’s a scam using Malwarebytes Scam Guard, a feature of our mobile protection products. Submit a screenshot, paste suspicious content, or share a text or phone number, and we’ll tell you if it’s a scam or legit. Download Malwarebytes Mobile Security for iOS or Android and try it today!

About the author

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.


文章来源: https://www.malwarebytes.com/blog/threat-intel/2026/01/watch-out-for-att-rewards-phishing-text-that-wants-your-personal-details
如有侵权请联系:admin#unsafe.sh