Sponsored by..

Wednesday 24 October 2012

BBB Spam / samplersmagnifyingglass.net

This fake BBB spam leads to malware on samplersmagnifyingglass.net:

Date:      Wed, 24 Oct 2012 22:10:18 +0430
From:      "Better Business Bureau" [noreply@bbb.org]
Subject:      Better Business Beareau Appeal #42790699

Attention: Owner/Manager

Here with the Better Business Bureau notifies you that we have been sent a claim (ID 42790699) from one of your consumers about their dealership with you.

Please view the CLAIMS REPORT down to view more information on this problem and suggest us about your point of view as soon as possible.

On a website above please enter your complain id: 42790699 to review it.

We are looking forward to hearing from you.


Rebecca Wilcox

Dispute advisor
Better Business Bureau
The malicious payload is on [donotclick]samplersmagnifyingglass.net/detects/confirming_absence_listing.php hosted on, a familiar IP address belonging to Vodafone in Fiji that has been used several times before and is well worth blocking.

Some other domains also associated with this IP are:


Unknown said...

RE: Case #2810328545

The Better Business Bureau has been filed the above mentioned complaint from one of your customers in respect of their business relations with you. The details of the consumer's concern are contained in enclosed document. Please give attention to this issue and inform us about your opinion as soon as possible. We kindly ask you to open the COMPLAINT REPORT (attached to this email) to reply on this complaint.
got this today. has a file attached: "Better-Business-Bureau-complaintIDEBF1A9D9FB9640A52E7CD3E.pdf.zip" win7 found to be malware..

Rob Krum said...

There are hundreds of other fake URLs than the ones you posted. Our company is receiving thousands of bouncebacks from invalid emails. Our ISP and domain providers basically told us we're SOL for preventing the spoofing. The botnet or whatever sending these out is sending from something which does not validate our SPF.

Conrad Longmore said...

@Rob: it's a two-level (or three-level) thing, the URL quoted in the email is a throwaway one from a legitimate hacked site. If you follow that through, you might get directed to ANOTHER hacked legit site.. but eventually you end up with the payload site that appears to be on a fairly predictable set of IP addresses. You just need to follow the rabbit down the hole a little bit..