Skip to content

Businesses Targeted by Spam Linked to Exploit Pages

2011-12-08

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

We’re putting out a warning today to business owners and employees of both large and small businesses that spammers are now targeting you for infection with malware. In the past few days, we’ve seen a number of email messages in the guise of reports from the Better Business Bureau that claim a complaint has been filed against the email recipient’s company. A link in the message points to drive-by download sites which use a number of different exploits against your computer’s browser and other applications to force the computer to download and execute a Trojan installer.

The messages started showing up in inboxes this week, “signed with the address of the Council of Better Business Bureaus, the national office of the BBB system,” says the BBB announcement, and from email addresses the BBB does not use, such as risk.manager@bbb.org or manager@bbb.org. The messages, which sometimes include a fictitious case number in the subject line, deliver the following example of complete tripe:

Subject: BBB Complaint activity report

The Better Business Bureau has been filed the above-referenced complaint from one of your associates concerning their business relations with you.
The details of the consumer’s concern are explained in enclosed file.
Please give attention to this issue and inform us about your standpoint.
We encourage you to click here to answer this complaint.

We look forward to your prompt response.

Seriously? The Better Business Bureau has been filed the above-referenced complaint? How’d they get that whole agency into a file cabinet? And does the so-called complaint come from “one of [my] associates” or a “consumer?” This spam has more grammatical fail per square inch than I’ve seen in a while.

Looking more closely at the linked click here text, it’s clear that the URL does not point to the BBB.org Web site, but to one of a number of IP addresses or unrelated domain names. The URL path almost always contains six random alphanumeric characters, another giveaway.

Businesses are a juicy target for distributors of password-stealing malware such as Zeus/Zbot/SpyEye. Those Trojans, which are hidden from view in the Task Manager once installed, typically take only seconds to capture and exfiltrate stolen FTP passwords, Web site passwords, email passwords, and other valuable information from infected computers. They then remain active on the computer, waiting for additional passwords to be entered into Web forms by the unsuspecting user of the infected machine. They steal those, too.

The most effective strategy to counter threats such as these is to educate all business email users about the threat. It is especially important to warn those employees who act as email gatekeepers, such as administrative assistants, to carefully review the destination of the link before clicking it. In most cases, if you hover the mouse over the link without clicking, the email client or browser will reveal the destination, which you can then check that destination’s reputation.

In the case of the example shown above, the IP address has been taken offline. As you can see from this screenshot from Robtex, the IP address has also been listed in the SURBL spam and malware blacklists.

In any case, if a question still remains as to whether the email is legitimate, call the organization who allegedly sent the email, and ask someone to validate the message’s authenticity on the phone before you click the link.

After having given the issue some attention, I would like to inform the spammer sending out these messages about my standpoint: You’re an illiterate waste of space. Turn off the computer and go back to kicking puppies, throwing rocks at babies, and soiling your underpants in your mom’s basement, you Arringtonian sociopath.Solera blog stats

%d bloggers like this: