Thirtyseven4 Antivirus | AntiMalware | AntiRootkit | AntiSpyware
Thirtyseven4 Antivirus | AntiMalware | AntiRootkit | AntiSpyware
Thirtyseven4 Antivirus | AntiMalware | AntiRootkit | AntiSpyware
Thirtyseven4 Antivirus | AntiMalware | AntiRootkit | AntiSpyware

October 22, 2012

Better Business Bureau Email Scams

Another round of email scams have been seen arriving in users inbox over the last few weeks, this time exploiting the reputable company, 'the Better Business Bureau (BBB)'. The email From address is forged to have appear to be sent directly from the BBB.  The email itself contains the company's name and identifiable BBB torch logo, and arrives with a variety of Subject lines, such as:

BBB SBQ Form #459930634(Ref#57-459930634-0-4)
BBB SBQ Form #366479516(Ref#70-366479516-0-4)
BBB SBQ Form #164522790(Ref#56-164522790-0-4)
BBB SBQ Form #463904581(Ref#65-463904581-0-4)
BBB SBQ Form #434432471(Ref#00-434432471-0-4)

The email scam will also contain an Attachment.  The attachment is a malicious executable file (disguised as a BBB complaint) with the name, “BBB_complaint.pdf.zip“. Upon extraction of this file, the user will see a file appearing to be a harmless PDF file but is really an .exe file. A double extension is used to trick the Preview Pane into thinking it is a PDF.

Here is an example email:

Malware - Better Business Bureau Email Scam
 
If the attachment is executed, the unknowing users machine gets infected with a Trojan identified by Thirtyseven4 Antivirus as “Trojan.Tepfer.bhv“.

Upon analysis of the Trojan, we have observed that the file attempts to visit various links to download further malicious files.

Some example sites include:

hxxp://ipsiamarcora.xx/9mMBpnGo.exe
hxxp://nuttythexxx.com/B5ty.exe
hxxp://034c695.netsolhost.com/a1oep.exe
hxxp://www.webspace-xxxy.rivido.de/Zpv3.exe
hxxp://infoxxxte.com/suJcZGL.exe
hxxp://cauxxxstic.com/V38T2Yx.exe
hxxp://joexxxl.net/Wmw.exe
hxxp://www.integritymxxxng.ca/NzJYh.exe active
hxxp://mwc-paxxx.nl/XNdb.exe
hxxp://www.proxxxtosweb.cl/Z6u.exe
hxxp://eventsurabaya.net/wp-coxxxnt/loader57.exe

The downloaded files are polymorphic in natures (meaning every time you visit the same link you will get a different file).

In addition to updating the Thirtyseven4 Antivirus virus scanner for these threats and future similar threats, the Thirtyseven4 Browser Protection module has all been updated to block the noted websites above.

 

 

Thirtyseven4 - Industry Leading Endpoint Security Solution

“Delight yourself in the Lord and he will give you the desires of your heart.” Psalm 37:4