Malware spam: "BBB Accreditation Services [no-replay@newyork.bbb.org]" / "BBB SBQ Form"

This fake BBB email has a malicious attachment.

From: BBB Accreditation Services [no-replay@newyork.bbb.org]
Date: Thu, 12 Feb 2015 10:50:01 +0000
Subject: BBB SBQ Form
Thank you for supporting your Better Business Bureau (BBB).

As a service to BBB Accredited Businesses, we try to ensure that the information we provide to potential customers is as accurate as possible. In order for us to provide the correct information to the public, we ask that you review the information that we have on file for your company.

We encourage you to print this SBQ Form, answer the questions and respond to us. (Adobe PDF)


Please look carefully at your telephone and fax numbers on this sheet, and let us know any and all numbers used for your business (including 800, 900, rollover, and remote call forwarding). Our automated system is driven by telephone/fax numbers, so having accurate information is critical for consumers to find information about your business easily.

Thank you again for your support, and we look forward to receiving this updated information.

Sincerely,

Accreditation Services

Attached is a file SQB Form.zip which contains a malicious executable SQB Form.exe. This has a VirusTotal detection rate of 4/57. Automated analysis tools [1] [2] [3] [4] show that attempts to connect to these following legitimate IPs and domains to determine the IP address and current time:


134.170.185.211
time.microsoft.akadns.net
checkip.dyndns.org

Of these, checkip.dyndns.org is worth monitoring as it is often an indicator of infection.

The Anubis report also shows a DNS query to semiyun.com on 95.173.170.227  (Netinternet, Turkey). Also the Malwr report shows connections to the following URLs:

http://92.240.99.70:12112/1202uk11/HOME/0/51-SP:/0/ELHBEDIBEHGBEHK
http://92.240.99.70:12112/1202uk11/HOME/41/7/4/
http://semiyun.com/mandoc/previewa.pdf

Of these, 92.240.99.70 (Ukrainian High Technologies Ltd, Ukraine) looks like the C&C server and this should definitely be blocked.

A file jeoQxZ5.exe is also dropped with a detection rate of 6/57. This is most likely the Dyre banking trojan. Samples can be found here, password is infected.

BBB Spam / Case_0938818_2818.exe

This fake BBB spam has a malicious attachment:

Date:      Tue, 10 Sep 2013 15:07:14 +0100 [10:07:14 EDT]
From:      Better Business Bureau [Aldo_Austin@newyork.bbb.org]
Subject:      FW: Case IN11A44X2WCP44M

The Better Business Bureau has received the above-referenced complaint from one of your
customers regarding their dealings with you. The details of the consumer's concern are
included on the reverse. Please review this matter and advise us of your position.

As a neutral third party, the Better Business Bureau can help to resolve the matter.
Often complaints are a result of misunderstandings a company wants to know about and
correct.

In the interest of time and good customer relations, please provide the BBB with written
verification of your position in this matter by September 13, 2013. Your prompt response
will allow BBB to be of service to you and your customer in reaching a mutually agreeable
resolution. Please inform us if you have contacted your customer directly and already
resolved this matter.

The Better Business Bureau develops and maintains Reliability Reports on companies across
the United States and Canada . This information is available to the public and is
frequently used by potential customers. Your cooperation in responding to this complaint
becomes a permanent part of your file with the Better Business Bureau. Failure to
promptly give attention to this matter may be reflected in the report we give to
consumers about your company.

We encourage you to print this complaint (attached file - Case_IN11A44X2WCP44M), answer
the questions and respond to us.

We look forward to your prompt attention to this matter.

Sincerely,
Aldo_Austin
Council of Better Business Bureaus
3033 Wilson Blvd, Suite 600
Arlington, VA 22201 

Attached to the message is a ZIP file Case_IN11A44X2WCP44M.zip which in turn contains an executable Case_0938818_2818.exe which has a shockingly low detection rate of just 1/46 at VirusTotal.

Automated analysis of the malware is inconclusive [1] [2] [3] [4], but it does generate outbound traffic to kwaggle.com port 443 on 64.50.166.122 (Lunar Pages, US). The domain thisisyourwife.co.uk on the same server is also hosting malware, I would therefore be suspicious about some of the other sites on the same box.

Recommended blocklist:
64.50.166.122
kwaggle.com
thisisyourwife.co.uk

IRS.gov "Complaint Case #488870383295" spam / Complaint_488870383295.zip

This spam contains a malicious attachment, but seems to confuse the roles of the BBB and the IRS.

Date:      Mon, 22 Jul 2013 09:59:08 -0500 [10:59:08 EDT]
From:      "IRS.gov" [fraud.dep@irs.gov]
Subject:      Complaint Case #488870383295

You have received a complaint in regards to your business services.
The complaint was filled by Mr./Mrs. Ulivo DELERME on 07/22/2013/

Case Number: 488870383295

Instructions on how to resolve this complaint as well as a copy of the original complaint are attached to this email.

Disputes involving consumer products and/or services may be arbitrated. Unless they directly relate to the contract that is the basis of this dispute, the following claims will be considered for arbitration only if all parties agree in writing that the arbitrator may consider them: Claims based on product liability; Claims for personal injuries; Claims that have been resolved by a previous court action, arbitration, or written agreement between the parties.

The decision as to whether your dispute or any part of it can be arbitrated rests solely with the IRS.

The IRS offers a binding arbitration service for disputes involving marketplace transactions. Arbitration is a convenient, civilized way to settle disputes quickly and fairly, without the costs associated with other legal options.

2013 Council of IRS, Inc. All Rights Reserved.

Attached to the email is a ZIP file Complaint_488870383295.zip which in turn contains an executable Complaint_07222013.exe which is bad news. VirusTotal detection rates are a so-so 14/47.

ThreatExpert and Comodo CAMAS give a little background information, but in this case the Malwr analysis seems to be the most comprehensive and shows traffic out the the following compromised sites:

prospexleads.com
phonebillssuck.com
moneyinmarketing.com
abbeyevents.co.uk
salsaconfuego.com
fales.info

The second part has a much lower detection rate of just 2/47. At the moment this second stage is still being analysed.

BBB Spam / trleaart.net

This fake BBB spam with a "PLAINT REPORT" (sic) leads to malware on trleaart.net:

From: Better Business Bureau [mailto:rivuletsjb72@bbbemail.org]
Sent: 11 June 2013 18:04

Subject: Better Business Beareau Complaint ¹ S3452568
Importance: High

Sorry, your e-mail does not support HTML format. Your messages can be viewed in your browser

Better Business Bureau ©
Start With Trust
Tue , 11 Jun 2013
Issue N. S3452568
The Better Business Bureau has been booked the above said claim letter from one of your customers in respect of their dealings with you. The detailed description of the consumer's trouble are available visiting a link below. Please pay attention to this matter and inform us about your mind as soon as possible.
We amiably ask you to open the PLAINT REPORT to answer on this claim.
We awaits to your prompt response.
Faithfully yours
Daniel Cox
Dispute Advisor
Better Business Bureau
________________________________________
________________________________________
Better Business Bureau
3083   Wilson Blvd, Suite 600   Arlington, VA 25301
Phone: 1 (703) 276.0100  Fax: 1 (703) 525.8277
  
This information was delivered to [redacted]. Don't want to receive these emails anymore? You can unsubscribe

The link goes through a legitimate hacked site and end up with a malware landing page on [donotclick]trleaart.net/news/members_guarantee.php (report here) hosted on the following IPs:


160.75.169.49 (Istanbul Technical University, Turkey)
186.215.126.52 (Global Village Telecom, Brazil)
190.93.23.10 (Greendot, Trinidad and Tobago)
193.254.231.51 (Universitatea Transilvania Brasov, Romania)

This network of evil sites is rather large and I haven't had the time to look at it closely, but in the meantime here is a partial blocklist:
160.75.169.49
186.215.126.52
190.93.23.10
193.254.231.51
abacs.pl
balckanweb.com
biati.net
buyparrots.net
condalinarad72234652.ru
condalinneuwu5.ru
condalinra2735.ru
condalnuas34637.ru
condalnuashyochetto.ru
cunitarsiksepj.ru
ehchernomorskihu.ru
eheranskietpj.ru
ehnutidalvchedu.ru
ejoingrespubldpl.ru
enway.pl
ergopets.com
federal-credit-union.com
freemart.pl
genown.ru
ghroumingoviede.ru
giwmmasnieuhe.ru
gnunirotniviepj.ru
gondatskenbiehu.ru
gstoryofmygame.ru
haicut.com
icensol.net
janefgort.net
jetaqua.com
kirki.pl
klosotro9.net
ludena.ru
mantuma.pl
mortolkr4.com
myhispress.com
nipiel.com
onlinedatingblueprint.net
oydahrenlitutskazata.ru
ozonatorz.com
pleak.pl
pnpnews.net
relectsdispla.net
safe-browser.biz
safe-time.net
smartsecurityapp2013.com
sngroup.pl
televisionhunter.com
trleaart.net
twintrade.net
usforclosedhomes.net

BBB spam / pnpnews.net

This fake BBB spam leads to malware on pnpnews.net:

From: Better Business Bureau [mailto:standoffzwk68@clients.bbb.com]
Sent: 07 June 2013 15:08
Subject: BBB information regarding your customer's pretension No. 00167486

Better Business Bureau ©
Start With Trust ©
Fri, 7 Jun 2013
RE: Complaint No. 00167486
[redacted]
The Better Business Bureau has been entered the above said grievance from one of your users in regard to their business relations with you. The information about the consumer's trouble are available visiting a link below. Please pay attention to this matter and notify us about your sight as soon as possible.
We kindly ask you to overview the CLAIM LETTER REPORT to meet on this claim.
We awaits to your prompt answer.
Faithfully yours
Jonathan Edwards
Dispute Advisor
Better Business Bureau
________________________________________
________________________________________
Better Business Bureau
3093  Wilson Blvd, Suite 600   Arlington, VA 29701
Phone: 1 (703) 276.0100  Fax: 1 (703) 525.8277
 
This letter was delivered to [redacted]. Don't want to receive these emails anymore? You can unsubscribe

The link in the email goes through a legitimate hacked site and then to a payload at [donotclick]pnpnews.net/news/readers-sections.php (report here) hosted on:

46.18.160.86 - Saudi Electronic Info Exchange Company (Tabadul) JSC
93.89.235.13 - FBS Bilisim Cozumleri, Cyprus
178.16.216.66 - Gabrielson Invest AB, Sweden
186.215.126.52 - Global Village Telecom, Brazil
190.93.23.10 - Greendot, Trinidad and Tobago

Blocklist:
46.18.160.86
93.89.235.13
178.16.216.66
186.215.126.52
190.93.23.10
abacs.pl
balckanweb.com
biati.net
buyparrots.net
citysubway.net
condalnuashyochetto.ru
cunitarsiksepj.ru
eheranskietpj.ru
ejoingrespubldpl.ru
enway.pl
federal-credit-union.com
giwmmasnieuhe.ru
gnunirotniviepj.ru
gstoryofmygame.ru
icensol.net
janefgort.net
myhispress.com
onlinedatingblueprint.net
oydahrenlitutskazata.ru
ozonatorz.com
pnpnews.net
smartsecurityapp2013.com
sngroup.pl
twintrade.net
usforclosedhomes.net

BBB Spam / freedblacks.net

Another BBB spam run today, although this time not an RU:8080 spam we saw earlier but an "Amerika" spam run instead. Interestingly, both mis-spell "Beareau" which indicates they are using the same software, even if they are different gangs. The link in the email leads to malware on freedblacks.net.

Date:      Wed, 17 Apr 2013 21:20:20 +0800 [09:20:20 EDT]
From:      BBB [bridegroomc@m.bbb.org]
Subject:      Better Business Beareau accreditation Cancelled P5088819
Case No. P5088819

Respective Owner/Responsive Person:

The Better Business Bureau has been registered the above said claim letter from one of your users as regards their business contacts with you. The information about the consumer's worry are available for review at a link below. Please pay attention to this issue and inform us about your sight as soon as possible.

We amiably ask you to click and review the APPEAL REPORT to respond on this claim letter. Click here to be taken directly to your report today:
http://www.bbb.org/business-claims/customercare/report-02111671

If you think you recieved this email by mistake - please forward this message to your principal or accountant

We are looking forward to your prompt answer.

Looking for info on additional ways your BBB Accreditation can boost your business? Visit the BBB SmartGuide.

Sincerely,

Ian Wilson - Online Communication Specialist

bbb.org - Start With Trust

The link goes to a legitimate hacked site and then to a malicious landing page at [donotclick]freedblacks.net/news/agency_row_fixed.php (report here) hosted on the following IPs:


65.34.160.10 (Comcast, US)
94.249.206.117 (GHOSTnet, Germany)
155.239.247.247 (Centurion Telkom, South Africa)
173.234.239.60 (Nobis Technology Group, US)

Blocklist:
65.34.160.10
94.249.206.117
155.239.247.247
173.234.239.60
airtrantran.com
basic-printers.com
bbb-complaint.org
buyersusaremote.net
condalinaradushko.ru
conficinskiy.ru
confideracia.ru
coretec.pl
cormoviesutki.ru
dailypost.pl
dataprocessingservice-alerts.com
dataprocessingservice-reports.com
dyntic.com
elmara.ru
excuticoble.ru
fenvid.com
freedblacks.net
fxtv.pl
gardeningexplains.biz
gatoversignie.ru
hurienothing.ru
independinsy.net
janefgort.net
klosotro9.net
miniscule.pl
nulio.ru
programcam.ru
ricepad.net
seantit.ru
securitysmartsystem.com
techzoom.pl
thesecondincomee.com

BBB Spam / janariamko.ru

After a few quiet days on the RU:8080 spam front it has started again..

Date:      Wed, 17 Apr 2013 20:18:14 +0800
From:      "Better Business Bureau" [guttersnipeg792@ema1lsv100249121.bbb.org]
Subject:      Better Business Beareau accreditation Terminated 64A488W04

    Case N. 64A488W04

Respective Owner/Responsive Person:

The Better Business Bureau has been filed the above said reclamation from one of your clients with reference to their business relations with you. The information about the consumer's trouble are available at the link below. Please give attention to this matter and communicate with us about your opinion as soon as possible.

We graciously ask you to visit the COMPLAINT REPORT to respond on this reclamation. Click here to be taken directly to your report today:
http://www.bbb.org/business-claims/customercare/report-65896564

If you think you got this email by mistake - please forward this message to your principal or accountant

We are looking forward to your prompt answer.

Looking for info on additional ways your BBB Accreditation can boost your business? Visit the BBB SmartGuide.

Sincerely,

Gabriel Reyes - Online Communication Specialist

bbb.org - Start With Trust

The malicious payload is at [donotclick]janariamko.ru:8080/forum/links/public_version.php (report here) hosted on the following IPs:
91.191.170.26 (Netdirekt, Turkey)
93.187.200.250 (Netdirekt, Turkey)
208.94.108.238 (Fibrenoire, Canada)

Blocklist:
91.191.170.26
93.187.200.250
208.94.108.238
ifikangloo.ru
ifinaksiao.ru
ighjaooru.ru
igionkialo.ru
ijsiokolo.ru
imanraiodl.ru
itriopea.ru
ivanikako.ru
ixxtigang.ru
izjianokr.ru
iztakor.ru
jamtientop.ru
janariamko.ru
janasika.ru
jindiank.ru
jubakupra.ru
judianko.ru
juhajuhaa.ru
juliamanako.ru
juliaroberzs.ru
jundaio.ru

BBB Spam / jamiliean.ru

This fake BBB spam leads to malware on jamiliean.ru:

From: Habbo Hotel [mailto:auto-contact@habbo.com]
Sent: 10 April 2013 00:17
Subject: Re: Better Business Bureau Complaint

Good afternoon,

Here with the Better Business Bureau would like to inform you that we have received a complaint (ID 24941954)
from a customer of yours in regard to their dealership with you.

Please open the COMPLAINT REPORT attached to this email (Internet Exlporer file)

to view the details on this issue and suggest us about your position as soon as possible.

We hope to hear from you shortly.

Regards,

CHRISTI REAGAN


Dispute Counselor
Better Business Bureau

There is an attachment BBB-Complaint-US39824.htm with a malicious payload is at [donotclick]jamiliean.ru:8080/forum/links/column.php. Associated payload, IPs and domains are the same as this attack also running today.

BBB Spam / alteshotel.net and bbb-accredited.net

This fake BBB spam leads to malware onalteshotel.net and bbb-accredited.net:

Date:      Thu, 7 Mar 2013 06:23:12 -0700
From:      "Better Business Bureau Warnings" [hurriese3@bbb.com]
Subject:      BBB details regarding your claim No.

Sorry, your e-mail does not support HTML format. Your messages can be viewed in your browser
Better Business Bureau ©
Start With Trust ©

Thu, 6 March 2013

Your Accreditation Suspended

[redacted]

The Better Business Bureau has been temporary Aborted Your Accreditation
A number of latest complains on you / your company motivated us to temporal Abort your accreditation with Better Business Beaureau. The details of the our decision are available for review at a link below. Please pay attention to this issue and inform us about your glance as soon as possible.

We graciously ask you to overview the TERMINATION REPORT to meet on this claim

We awaits to your prompt rebound.

If you think you got this email by mistake - please forward this message to your principal or accountant

Yours respectfully
Hunter Ross
Dispute Advisor
Better Business Bureau

Better Business Bureau
3053 Wilson Blvd, Suite 600 Arlington, VA 25501
Phone: 1 (703) 276.0100 Fax: 1 (703) 525.8277

This information was sent to [redacted]. Don't want to receive these emails anymore? You can unsubscribe

=========================


Date:      Thu, 7 Mar 2013 21:19:18 +0800
From:      "Better Business Bureau Warnings" [prettifyingde7@transfers.americanpayroll.org]
Subject:      BBB details about your pretense No.

Sorry, your e-mail does not support HTML format. Your messages can be viewed in your browser
Better Business Bureau ©
Start With Trust ©

Thu, 6 March 2013

Your Accreditation Suspended

[redacted]

The Better Business Bureau has been temporary Aborted Your Accreditation
A number of latest complains on you / your company motivated us to transient Cancell your accreditation with Better Business Beaureau. The details of the our decision are available visiting a link below. Please pay attention to this question and notify us about your belief as soon as possible.

We graciously ask you to visit the ABUSE REPORT to answer on this appeal

We awaits to your prompt answer.

If you think you got this email by mistake - please forward this message to your principal or accountant

Faithfully yours
Benjamin Cox
Dispute Councilor
Better Business Bureau

Better Business Bureau
3053 Wilson Blvd, Suite 600 Arlington, VA 24401
Phone: 1 (703) 276.0100 Fax: 1 (703) 525.8277

This letter was sent to [redacted]. Don't want to receive these emails anymore? You can unsubscribe

One potentially malicious payload is at [donotclick]alteshotel.net/detects/review_complain.php (looks like it might be broken - report here) hosted on:

69.43.161.176 (Parked at Castle Access Inc, US)

The other is at [donotclick]bbb-accredited.net/kill/enjoy-laws-partially-unwanted.php (definitely malicious - report here) hosted on:

64.207.236.198 (EasyTEL, US)
142.11.195.204 (Hostwinds LLC, US)
149.154.68.214 (TheFirst.RU, Russia)

These other domains can be seen on those IPs:
secureaction120.com
secureaction150.com
iberiti.com
notsk.com
metalcrew.net
roadix.net
gatovskiedelishki.ru
conbicormiks.ru

Recommended blocklist:
64.207.236.198
142.11.195.204
149.154.68.214
secureaction120.com
secureaction150.com
iberiti.com
notsk.com
metalcrew.net
roadix.net
gatovskiedelishki.ru
conbicormiks.ru
alteshotel.net
bbb-accredited.net

BBB Spam / madcambodia.net

This fake BBB spam leads to malware on madcambodia.net:

Date:      Fri, 8 Feb 2013 11:55:55 -0500 [11:55:55 EST]
From:      Better Business Bureau [notify@bbb.org]
Subject:      BBB  details about your  cliente's pretense ID 43C796S77

Better Business Bureau ©
Start With Trust ©

Thu, 7 Feb 2013

RE: Issue No. 43C796S77

[redacted]

The Better Business Bureau has been booked the above mentioned claim letter from one of your purchasers in respect of their business contacts with you. The detailed description of the consumer's concern are available for review at a link below. Please pay attention to this subject and let us know about your judgment as soon as possible.

We pleasantly ask you to visit the GRIEVANCE REPORT to reply on this claim.

We awaits to your prompt response.

Best regards
Luis Davis
Dispute Advisor
Better Business Bureau

Better Business Bureau
3073  Wilson Blvd, Suite 600  Arlington, VA 23501
Phone: 1 (703) 276.0100   Fax: 1 (703) 525.8277


This note was sent to [redacted]. Don't want to receive these emails anymore? You can unsubscribe

The malicious payload is at [donotclick]madcambodia.net/detects/review_complain.php (report here) hosted on:

175.121.229.209 (Hanaro Telecom, Korea)
198.144.191.50 (Chicago VPS, US)

The following domains appear to be active on these IPs:
madcambodia.net
acctnmrxm.net
capeinn.net
starsoftgroup.net
live-satellite-view.net
morepowetradersta.com

BBB spam / terkamerenbos.net

This fake BBB spam leads to malware on terkamerenbos.net:

Date:      Mon, 14 Jan 2013 07:53:04 -0800 [10:53:04 EST]
From:      Better Business Bureau [notify@bbb.org]
Subject:      BBB Pretense ID 68C474U93

Better Business Bureau ©
Start With Trust ©

Mon, 14 Jan 2013

RE: Issue # 68C474U93

[redacted]

The Better Business Bureau has been booked the above said claim from one of your customers with regard to their business relations with you. The detailed description of the consumer's uneasiness are available at the link below. Please give attention to this subject and notify us about your mind as soon as possible.

We amiably ask you to click and review the CLAIM REPORT to meet on this complaint.

We are looking forward to your prompt reaction.

Best regards
Alexis Nguyen
Dispute Councilor
Better Business Bureau

Better Business Bureau
3033  Wilson Blvd, Suite 600   Arlington, VA 22701
Phone: 1 (703) 276.0100   Fax: 1 (703) 525.8277
 

This note was delivered to [redacted]. Don't want to receive these emails anymore? You can unsubscribe

The malicious payload is at [donotclick]terkamerenbos.net/detects/pull_instruction_assistant.php hosted on 222.238.109.66 (Hanaro Telecom, Korea). The following malicious sites are on the same server:

advertizing9.com
alphabeticalwin.com
splatwetts.com
bestwesttest.com
eartworld.net
foxpoolfrance.net
hotelrosaire.net
linuxreal.net
tetraboro.net
royalwinnipegballet.net

BBB spam / hotelrosaire.net

This fake BBB spam leads to malware on hotelrosaire.net:

Date:      Wed, 9 Jan 2013 09:21:32 -0600 [10:21:32 EST]
From:      Better Business Bureau <complaint@bbb.org>
Subject:      BBB notification regarding your  cliente's pretense No. 62850348

Better Business Bureau ©
Start With Trust �

Tue, 8 Jan 2013

RE: Complaint N. 62850348

[redacted]

The Better Business Bureau has been booked the above said complaint from one of your users in regard to their business contacts with you. The detailed description of the consumer's anxiety are available for review at a link below. Please give attention to this problem and inform us about your sight as soon as possible.

We pleasantly ask you to click and review the APPEAL REPORT to respond on this claim letter.

We awaits to your prompt reaction.

Yours respectfully
Liam Barnes
Dispute Consultant
Better Business Bureau

Better Business Bureau
3053   Wilson Blvd, Suite 600   Arlington, VA 25501
Phone: 1 (703) 276.0100   Fax: 1 (703) 525.8277


This note was sent to [redacted]. Don't want to receive these emails anymore? You can unsubscribe

==========================

Date:      Wed, 9 Jan 2013 23:21:42 +0800 [10:21:42 EST]
From:      Better Business Bureau <donotreply@bbb.org>
Subject:      BBB  Complaint No. C1343110

Better Business Bureau ©
Start With Trust ©

Tue, 8 Jan 2013

RE: Case No. C1343110

[redacted]

The Better Business Bureau has been booked the above mentioned complaint from one of your clients as regards their business relations with you. The information about the consumer's anxiety are available for review at a link below. Please pay attention to this question and inform us about your glance as soon as possible.

We pleasantly ask you to overview the COMPLAINT REPORT to reply on this grievance.

We are looking forward to your prompt reaction.

Yours respectfully
Hunter Gomez
Dispute Counselor
Better Business Bureau

Better Business Bureau
3053   Wilson Blvd, Suite 600   Arlington, VA 22801
Phone: 1 (703) 276.0100   Fax: 1 (703) 525.8277


This message was sent to [redacted]. Don't want to receive these emails anymore? You can unsubscribe 

The malicious payload is on [donotclick]hotelrosaire.net/detects/keyboard_ones-piece-ring.php hosted on 64.120.177.139 (HostNOC, US) which also hosts royalwinnipegballet.net which was seen in another BBB spam run yesterday.

BBB Spam / royalwinnipegballet.net

This fake BBB spam leads to malware on royalwinnipegballet.net:

Date:      Tue, 8 Jan 2013 19:18:34 +0200 [12:18:34 EST]
From:      Better Business Bureau <information@bbb.org>
To:      [redacted]Subject:      BBB information regarding your customer's appeal ¹ 96682901

Better Business Bureau ©
Start With Trust ©

Mon, 7 Jan 2013

RE: Complaint # 96682901

[redacted]

The Better Business Bureau has been registered the above mentioned appeal from one of your clients as regards their business contacts with you. The details of the consumer's worry are available for review at a link below. Please give attention to this matter and notify us about your sight as soon as possible.

We graciously ask you to open the CLAIM REPORT to answer on this reclamation.

We are looking forward to your prompt answer.

Faithfully yours
Alex Green
Dispute Counselor
Better Business Bureau

Better Business Bureau
3063  Wilson Blvd, Suite 600  Arlington, VA 27201
Phone: 1 (703) 276.0100   Fax: 1 (703) 525.8277
 

This note was delivered to [redacted]. Don't want to receive these emails anymore? You can unsubscribe

====================

Date:      Tue, 8 Jan 2013 19:12:58 +0200 [12:12:58 EST]
From:      Better Business Bureau <donotreply@bbb.org>
Subject:      Better Business Beareau   Pretense ¹ C6273504
Priority:      High Priority 1

 Better Business Bureau ©
Start With Trust ©

Mon, 7 Jan 2013

RE: Issue No. C6273504

[redacted]

The Better Business Bureau has been registered the above said reclamation from one of your users in respect of their business contacts with you. The information about the consumer's anxiety are available visiting a link below. Please give attention to this problem and notify us about your mind as soon as possible.

We kindly ask you to overview the APPEAL REPORT to meet on this claim letter.

We are looking forward to your prompt rebound.

Yours respectfully
Julian Morales
Dispute Advisor
Better Business Bureau

Better Business Bureau
3013   Wilson Blvd, Suite 600  Arlington, VA 20701
Phone: 1 (703) 276.0100  Fax: 1 (703) 525.8277


This message was sent to [redacted]. Don't want to receive these emails anymore? You can unsubscribe

The malicious payload is on [donotclick]royalwinnipegballet.net/detects/occasional-average-fairly.php hosted on 89.207.132.144 (Snel Internet, Netherlands) which was hosting another attack site this morning (so best blocked in my opinion)

BBB spam / ibertomoralles.org

This bizarrely worded fake BBB spam leads to malware on ibertomoralles.org:

Date:      Fri, 7 Dec 2012 18:43:08 +0100
From:      "Better Business Bureau" [complaint@bbb.org]
Subject:      BBB Complaint No.65183683

Sorry, your e-mail does not support HTML format. Your messages can be viewed in your browser
Better Business Bureau �
Start With Trust �

Fri, 7 Dec 2012

RE: Complaint N. 65183683

Hello

The Better Business Bureau has been booked the above said complaint from one of your purchasers in regard to their business relations with you. The detailed description of the consumer's disturbance are available visiting a link below. Please give attention to this point and let us know about your mind as soon as possible.

We amiably ask you to overview the GRIEVANCE REPORT to reply on this claim letter.

We are looking forward to your prompt reaction.

Faithfully yours
Natalie Richardson
Dispute Councilor
Better Business Bureau

Better Business Bureau
3073 Wilson Blvd, Suite 600 Arlington, VA 28201
Phone: 1 (703) 276.0100 Fax: 1 (703) 525.8277

This message was sent to [redacted]. Don't want to receive these emails anymore? You can unsubscribe

====================


Date:      Fri, 7 Dec 2012 19:42:23 +0200
From:      "Better Business Bureau" [noreply@bbb.org]
Subject:      BBB Appeal No.05P610Q78

Sorry, your e-mail does not support HTML format. Your messages can be viewed in your browser
Better Business Bureau �
Start With Trust �

Fri, 7 Dec 2012

RE: Case # 05P610Q78

Hello

The Better Business Bureau has been filed the above said reclamation from one of your customers in respect of their dealings with you. The details of the consumer's disturbance are available at the link below. Please pay attention to this issue and notify us about your sight as soon as possible.

We politely ask you to visit the PLAINT REPORT to meet on this claim.

We are looking forward to your prompt reaction.

Yours respectfully
Dylan Peterson
Dispute Councilor
Better Business Bureau

Better Business Bureau
3003 Wilson Blvd, Suite 600 Arlington, VA 25301
Phone: 1 (703) 276.0100 Fax: 1 (703) 525.8277

This message was delivered to [redacted] Don't want to receive these emails anymore? You can unsubscribe

====================

From: Better Business Bureau [mailto:information@bbb.org]
Sent: Fri 07/12/2012 17:01
Subject: Better Business Beareau Pretension No.S8598593


Sorry, your e-mail does not support HTML format. Your messages can be viewed in your browser

Better Business Bureau ©

Start With Trust 
Fri, 7 Dec 2012

RE: Complaint N. S8598593


Valued client

The Better Business Bureau has been entered the above mentioned grievance from one of your clientes with reference to their dealings with you. The details of the consumer's worry are available at the link below. Please give attention to this problem and let us know about your opinion as soon as possible.

We pleasantly ask you to click and review the CLAIM LETTER REPORT to respond on this grievance.

We awaits to your prompt response.

WBR
Aiden Thompson
Dispute Advisor
Better Business Bureau

Better Business Bureau
3003   Wilson Blvd, Suite 600  Arlington, VA 26701
Phone: 1 (703) 276.0100  Fax: 1 (703) 525.8277

  
This letter was delivered to [redacted]. Don't want to receive these emails anymore? You can unsubscribe

The payload and IP addresses are exactly the same as the ones found in this spam run.

BBB Spam / leberiasun.ru

This fake BBB spam leads to malware on leberiasun.ru:

Date:      Wed, 5 Dec 2012 11:32:47 +0330
From:      Bebo Service [service@noreply.bebo.com]
Subject:      Urgent information from BBB

Attn: Owner/Manager

Here with the Better Business Bureau notifies you that we have received a complaint (ID 243917811)
from one of your customers with respect to their dealership with you.

Please open the COMPLAINT REPORT below to obtain more information on this matter and let us know of your point of view as soon as possible.

We are looking forward to your prompt reply.
Regards,

JONELLE Payne

The malicious payload is at [donotclick]leberiasun.ru:8080/forum/links/column.php (report here) hosted on the following IPs:

42.121.116.38 (Aliyun Computing Co, China)
202.180.221.186 (GNet, Mongolia)
208.87.243.131 (Psychz Networks, US)
219.255.134.110 (SK Broadband, Korea

These IPs have been used in several attacks recently. You should block access if you can.

BBB Spam / samplersmagnifyingglass.net

This fake BBB spam leads to malware on samplersmagnifyingglass.net:

Date:      Wed, 24 Oct 2012 22:10:18 +0430
From:      "Better Business Bureau" [noreply@bbb.org]
Subject:      Better Business Beareau Appeal #42790699

Attention: Owner/Manager

Here with the Better Business Bureau notifies you that we have been sent a claim (ID 42790699) from one of your consumers about their dealership with you.

Please view the CLAIMS REPORT down to view more information on this problem and suggest us about your point of view as soon as possible.

On a website above please enter your complain id: 42790699 to review it.

We are looking forward to hearing from you.
-----------------------------------

Faithfully,

Rebecca Wilcox

Dispute advisor
Better Business Bureau

The malicious payload is on [donotclick]samplersmagnifyingglass.net/detects/confirming_absence_listing.php hosted on 183.81.133.121, a familiar IP address belonging to Vodafone in Fiji that has been used several times before and is well worth blocking.

Some other domains also associated with this IP are:
the-mesgate.net
hotsecrete.net
agmnxsmn.com
art-london.net
asmsxcm.com
buzziskin.net
ifmncmn.com
stafffire.net
sxmnmn.com
tizarrefetishkin.com

BBB Spam / one.1000houses.biz

This fake BBB spam leads to malware at one.1000houses.biz:

Date:      Tue, 25 Sep 2012 11:42:18 +0200
From:      "Better.Business Bureau" [8050910@zread.com]
Subject:      Activity Report



Dear business owner, we have received a complaint about your company possible involvement in check cashing and Money Order Scam.

You are asked to provide response to this complaint within 7 days.

Failure to provide the necessary information will result in downgrading your Better Business Bureau rating and possible cancellation of your BBB accreditation status.

Complaint ID#125368

Council of Better Business Bureaus
3033 Wilson Blvd, Suite 600
Arlington, VA 22201
Phone: 1 (703) 276.0100
Fax: 1 (703) 525.8277

The malicious payload is at [donotclick]one.1000houses.biz/links/deep_recover-result.php hosted on 199.195.116.185 (A2 Hosting, US). The domain 1000houses.biz appears to be a legitimate domain where the GoDaddy account has been hacked to serve malware on subdomains. There seems to be a long-standing issue with GoDaddy domains being used in this way.

Blocking 199.195.116.185 would probably be prudent.

BBB Spam / 108.178.59.11

This fake BBB spam leads to malware on 108.178.59.11:

Date:      Mon, 24 Sep 2012 18:39:47 +0530
From:      "BBB Complaint activity report" [B1A41D3F@onlinepcexpert.net]
Subject:      BBB Case #9833204



Dear business owner, we have received a complaint about your company possible involvement in check cashing and Money Order Scam.

You are asked to provide response to this complaint within 7 days.

Failure to provide the necessary information will result in downgrading your Better Business Bureau rating and possible cancellation of your BBB accreditation status.

Complaint ID#9833204

Council of Better Business Bureaus
3033 Wilson Blvd, Suite 600
Arlington, VA 22201
Phone: 1 (703) 276.0100
Fax: 1 (703) 525.8277

==========


Date:      Mon, 24 Sep 2012 08:25:00 -0300
From:      "Better Business Bureau" [792375B2@mbdservices.com]
Subject:      BBB Complaint activity report

Dear business owner, we have received a complaint about your company possible involvement in check cashing and Money Order Scam.

You are asked to provide response to this complaint within 7 days.

Failure to provide the necessary information will result in downgrading your Better Business Bureau rating and possible cancellation of your BBB accreditation status.

Complaint ID#360343

Council of Better Business Bureaus
3033 Wilson Blvd, Suite 600
Arlington, VA 22201
Phone: 1 (703) 276.0100
Fax: 1 (703) 525.8277

The malicious payload is on [donotclick]108.178.59.11/links/anybody_miss-knowing.php (Singlehop, US) which is most likely a Blackhole 2 kit. This IP address has been used in other attacks and should be blocked if you can.

BBB Spam / sushfpappsbf.ru

I have't seen any fake BBB spam for a while, but here it is.. this new spam run leads to malware on sushfpappsbf.ru.

Date:      Wed, 20 Jun 2012 05:20:45 +0100
From:      LamarHF4AF78ZFq@gmail.com
Subject:      Urgent information from BBB

Attn: Owner/Manager

Here with the Better Business Bureau notifies you that we have received a complaint (ID 615337145)
from one of your customers with respect to their dealership with you.

Please open the COMPLAINT REPORT below to obtain more information on this matter and let us know of your point of view as soon as possible.

We are looking forward to your prompt reply.
Regards,

Lamar WILHELM

The malicious payload is at [donotclick]sushfpappsbf.ru:8080/forum/showthread.php?page=5fa58bce769e5c2c (report here) which is multihomed on the following IPs:

94.20.30.91 (Delta Telecom, Azerbaijan)
124.124.212.172 (Reliance Communications, India)
173.224.209.130 (Psychz Networks, US)
213.17.171.186 (Netia SA, Poland)

The following IPs and domain names are connected with this malware run and should be blocked if you can:

78.83.233.242
89.111.177.151
94.20.30.91
110.234.176.99
124.124.212.172
173.224.209.130
213.17.171.186
girlsnotcryz.ru
harmoniavslove.ru
huletydyshish.ru
monashkanasene.ru
pekarniamsk.ru
piloramamoskow.ru
saprolaunimaxim.ru
seledkindoms.ru
sumatranajuge.ru
sushfpappsbf.ru

BBB Spam / mynourigen.net

More BBB spam leading to malware, this time at mynourigen.net. For example:

Date:      Tue, 13 Mar 2012 20:39:07 +0700
From:      "BBB"
Subject:      Important! BBB complaint activity report
Attachments:     betterbb_logo.jpg

Attn: Owner/Manager

Here with the Better Business Bureau would like to inform you that we have been filed a complaint (ID 92163107) from one of your customers related to their dealership with you.

Please open the COMPLAINT REPORT below to obtain the details on this question and let us know of your opinion as soon as possible.

We hope to hear from you very soon.

Sincerely,

Rebecca Wilcox

Dispute Counselor
Better Business Bureau


Council of Better Business Bureaus
4200 Wilson Blvd, Suite 800
Arlington, VA 22203-1838
Phone: 1 (703) 276.0100
Fax: 1 (703) 525.8277

==========

Date:      Tue, 13 Mar 2012 14:42:30 +0100
From:      "Better Business Bureau"
Subject:      Your customer complained to BBB
Attachments:     betterbb_logo.jpg

Good afternoon,

Here with the Better Business Bureau informs you that we have been sent a complaint (ID 31347804) from one of your customers with respect to their dealership with you.

Please open the COMPLAINT REPORT below to obtain more information on this issue and let us know of your position as soon as possible.

We hope to hear from you very soon.

Sincerely,

Carlos Baxter

Dispute Counselor
Better Business Bureau


Council of Better Business Bureaus
4200 Wilson Blvd, Suite 800
Arlington, VA 22203-1838
Phone: 1 (703) 276.0100
Fax: 1 (703) 525.8277

==========

Date:      Tue, 13 Mar 2012 14:53:11 +0100
From:      "BBB"
Subject:      BBB important information
Attachments:     betterbb_logo.jpg

Good afternoon,

Here with the Better Business Bureau informs you that we have been sent a complaint (ID 11043517) from your customer in regard to their dealership with you.

Please open the COMPLAINT REPORT below to find the details on this case and let us know of your point of view as soon as possible.

We are looking forward to hearing from you.

Faithfully,

Fernando Grodhaus

Dispute Counselor
Better Business Bureau


Council of Better Business Bureaus
4200 Wilson Blvd, Suite 800
Arlington, VA 22203-1838
Phone: 1 (703) 276.0100
Fax: 1 (703) 525.8277

==========

Date:      Tue, 13 Mar 2012 14:30:45 +0100
From:      "BBB"
Subject:      BBB processing RE: Case ID 06216966
Attachments:     betterbb_logo.jpg

Good afternoon,

Here with the Better Business Bureau informs you that we have been sent a complaint (ID 06216966) from a customer of yours in regard to their dealership with you.

Please open the COMPLAINT REPORT below to view more information on this case and suggest us about your position as soon as possible.

We hope to hear from you very soon.

Kind regards,

Carlos Baxter

Dispute Counselor
Better Business Bureau


Council of Better Business Bureaus
4200 Wilson Blvd, Suite 800
Arlington, VA 22203-1838
Phone: 1 (703) 276.0100
Fax: 1 (703) 525.8277

==========

The malicious payload is on mynourigen.net/main.php?page=dc6f9d2a120107b9 and mynourigen.net/content/ap2.php?f=fa88c - it's the usual mixed bag of exploits.

mynourigen.net is apparently hosted on 41.64.21.71 in Egypt (seen many times before). The following domains are also associated with the same IP and can be considered to be malicious.

abc-spain.net
bonus100get.com
excellentworkchoise.com
foryouhomework.com
freac.net
get100bonus.com
getbonus100.com
icemed.net
likethisjob.com
perfectbusinesschance.net
sony-zeus.net
stafffire.net
synergyledlighting.net
systemtestnow.com
themeparkoupons.net
workatyourhomenow.com
yourbeautifulchance.com
yourbeautifullife.net
yourlifechance.net
yourpersonaldefence.com