Sponsored by..

Wednesday, 7 December 2011

Malware: BBB "Complaint from your customers" and billycharge.com

Another day, another spam campaign leading to the Blackhole Exploit Kit.

Date:      Wed, 7 Dec 2011 08:33:03 +0000
From:      "::Better Business Bureau::" [risk.manager@bbb.org]
Subject:      Complaint from your customers
Attachments:     bbb_logo.jpg

Attn: Owner/Manager
The Better Business Bureau has been sent the above mentioned complaint from one of your customers on the subject of their dealings with you.
The detailed information about the consumer's concern is explained in enclosed document.
Please review this matter and notify us of your position.
Please click here to reply this complaint.

We look forward to your prompt reply.

Yours faithfully,
Shawna Dennis
Better Business Bureau


Council of Better Business Bureaus
4200 Wilson Blvd, Suite 800
Arlington, VA 22203-1838
Phone: 1 (703) 276.0100
Fax: 1 (703) 525.8277

A link in the email goes to a legitimate but hacked site, users are forwarded to billycharge.com on 79.137.237.63. This IP is on Digital Networks CJSC in Russia (aka DINETHOSTING), a wholly black hat operation - you should block access to 79.137.224.0/20 if you haven't already done so. The Wepawet report is here , VT shows 0/43 detections for the exploit page although the download malware should tickle at least some scanners.

Some other subjects and senders being used in this spam:
  • BBB assistance Re: Case # [random number]
  • BBB Complaint activity report
  • BBB processing
  • BBB service Re: Case # [random number]
  • Better Business Bureau Case # [random number]
  • Complaint from your customers
  • Please review your customer's complaint
  • Re: BBB Case # [random number]
  • Re: Case # [random number]
  • Your customer's complaint
  • Your customer's concern
  • admin@bbb.org
  • alert@bbb.org
  • alerts@bbb.org
  • info@bbb.org
  • manager@bbb.org
  • risk.manager@bbb.org
  • risk@bbb.org
  • service@bbb.org
  • support@bbb.org

    16 comments:

    mb said...

    Yes, I got this email also and was concerned it was a true complaint. My net software blocked it and said it was malicious.

    Natalie Thiele said...

    Thank you! I just got three of them. Couldn't imagine how I had done something inappropriate to three different clients. My computer, like the other commenter's, warned me not to open them.

    Jay Gefucia said...

    I just received 2 as well, looks legitimate but the browser warns its unsafe. Thanks a lot.

    lucakilm said...

    I've just received one and clicked on the link, but immediately closed it...do I have to expect to be in trouble anyway?

    Thanks in advance for the info!

    Pop 1 said...

    I also got four items but they were sent to spam. I will delete.

    John Scott Smith said...

    We got one, too, on December 7th, 2011 at 4:14 am. Thank you for posting this.

    John Scott Smith said...

    We got one, too, on December 7th, 2011 at 4:14 am. Thank you for posting this.

    John Scott Smith said...

    We got one, too, on December 7th, 2011 at 4:14 am. Thank you for posting this.

    Carole said...

    Thank you for posting, I was very worried and almost opened the link as I have never had a complaint from a customer before. Some people are evil!

    Kathleen North Porter said...

    Lucakilm: I clicked the link too and then found this post. I just can an anti-spyware search and it came up clean. Might just run one to be safe, especially if you are on a PC.

    ff said...

    I received it twice today!

    lucakilm said...

    Dear Kathleen, thanks for the info!
    I use a Mac, so hope it's ok!

    TB said...

    I just received two of these emails. Microsoft outlook warned me that "This might be a phishing message...". I did some search before I click the link in the emails.
    Thanks!

    Jon said...

    Received two of them this morning. Typed in the BBB's phone number into Google and came to this site, and my suspicions were confirmed. Haven't clicked the link, and now I'll tell my company's IT department to block emails from this sender. Thanks for your site.

    daivmoran said...

    I had a client's web server that was sending these out. Had to uninstall the SMTP service.
    I never did find the infection that was causing this, ultimately needed to move the site to another server.

    gunnu said...

    Yes i got too .. i just delete it .. thanks for posting this article i came to know now this is fake email .