The organization Better Business Bureau (BBB) assists communication and helps resolve issues between businesses and consumers. It also educates both businesses and consumers on ethical practices and several other related topics. But that’s the real BBB, which brandishes the slogan “Start with Trust,” not the bureau mentioned in this spammed email message:
Figure 1. Sample of BBB spam
The message informs its recipients that BBB is enhancing web surfing process with new security measures to keep online data and personal information safer. A link following that statement leads to this page, which is designed to look very much like the legitimate website:
Figure 2. Clicking on the link in the BBB spam leads to this fake BBB site.
Our researchers believe that this site is sitting on a fast-flux botnet infrastructure. It uses a URL under a domain named bberimc(dot)com. Note that the real BBB’s URL is just bbb(dot)org though.
The instructions on the page tell users that BBB strongly encourages them to download a digital certificate to secure transactions when browsing the company’s website. However, instead of safeguarding systems, the supposed certificate exposes them to more threats as users download the following executable file instead:
Figure 3. Clicking on the link will download an executable.
Trend Micro detects the file as TROJ_DLOADR.HR. It downloads TSPY_SNIFF.KAX, which drops a rootkit (detected as TROJ_ROOTKIT.FX) to hide malware processes. The said spyware also monitors Internet or FTP activities in pages that have login forms in them, such as those that require user names and passwords. According to Trend Micro Advanced Threats Researcher Ivan Macalintal, this threat displays a similar infection chain to the spamming and malware operations that used Merrill Lynch and Wachovia.
Just last week, Trend Micro Advanced Threats Researcher Alice Decker blogged about a possible proof-of-concept threat coming as online bank security certificate. A URL to a malicious file was sent in email messages that prey on users’ fears regarding online security combined with the financial crisis. Upon execution, the downloaded “certificate” installs a hidden driver that also monitors HTTP streams and then sends the gathered login information to a third party host. Based on their very similar infection chains, last week’s threat now actually looks like a beta test for the present BBB spamming and malware operation.
Users are advised to be wary of unwanted and unsolicited email messages. Spammers are quick to devise new ways of luring users and continuously abuse the trust users give to formal institutions. Users should be more skeptical. News regarding the global financial are all over the media, but attempts to secure businesses and personal investments should not be done carelessly.
Other BBB malware:
Other spam attacks using the financial crisis: