Sponsored by..

Showing posts with label BBB. Show all posts
Showing posts with label BBB. Show all posts

Friday 9 December 2011

BBB Spam / combiplease.com

The BBB spam run is back today, with a malicious payload on combiplease.com (174.140.165.194), pretty much the same pattern as yesterday and earlier in the week.


This example is from this morning:

Date:      Fri, 9 Dec 2011 09:39:28 +0200
From:      "risk@bbb.org" [alerts@bbb.org]
Subject:      Re: Case # 48783457
Attachments:     main_logo.jpg

Attn: Owner/Manager
The Better Business Bureau has got the above-referenced complaint from one of your associates in respect of their business relations with you.
The detailed information about the consumer's concern is contained in enclosed file.
Please give attention to this question and inform us about your standpoint.
Please click here to reply this complaint.

We look forward to your prompt response.

Yours faithfully,
Anita Emil
Better Business Bureau


Council of Better Business Bureaus
4200 Wilson Blvd, Suite 800
Arlington, VA 22203-1838
Phone: 1 (703) 276.0100
Fax: 1 (703) 525.8277

Blocking 174.140.165.194 may be a good idea as other malicious domains may crop up on the same IP address.

Thursday 8 December 2011

BBB Spam / combijump.com / combimyself.com / combigave.com

A new version of yesterday's spam, this current crop of "BBB Complaint" emails lead to a malicious payload on combijump.com on 46.45.137.206. combimyself.com and combigave.com is on the same server and can also be assumed to be malicious.

VirusTotal detection on the target page is poor. 46.45.137.206 is on a Turkish network called Safya Net, I cannot vouch for its reputation however and it might be worth blocking the /24.

Wednesday 7 December 2011

Malware: BBB "Complaint from your customers" and billycharge.com

Another day, another spam campaign leading to the Blackhole Exploit Kit.

Date:      Wed, 7 Dec 2011 08:33:03 +0000
From:      "::Better Business Bureau::" [risk.manager@bbb.org]
Subject:      Complaint from your customers
Attachments:     bbb_logo.jpg

Attn: Owner/Manager
The Better Business Bureau has been sent the above mentioned complaint from one of your customers on the subject of their dealings with you.
The detailed information about the consumer's concern is explained in enclosed document.
Please review this matter and notify us of your position.
Please click here to reply this complaint.

We look forward to your prompt reply.

Yours faithfully,
Shawna Dennis
Better Business Bureau


Council of Better Business Bureaus
4200 Wilson Blvd, Suite 800
Arlington, VA 22203-1838
Phone: 1 (703) 276.0100
Fax: 1 (703) 525.8277

A link in the email goes to a legitimate but hacked site, users are forwarded to billycharge.com on 79.137.237.63. This IP is on Digital Networks CJSC in Russia (aka DINETHOSTING), a wholly black hat operation - you should block access to 79.137.224.0/20 if you haven't already done so. The Wepawet report is here , VT shows 0/43 detections for the exploit page although the download malware should tickle at least some scanners.

Some other subjects and senders being used in this spam:
  • BBB assistance Re: Case # [random number]
  • BBB Complaint activity report
  • BBB processing
  • BBB service Re: Case # [random number]
  • Better Business Bureau Case # [random number]
  • Complaint from your customers
  • Please review your customer's complaint
  • Re: BBB Case # [random number]
  • Re: Case # [random number]
  • Your customer's complaint
  • Your customer's concern
  • admin@bbb.org
  • alert@bbb.org
  • alerts@bbb.org
  • info@bbb.org
  • manager@bbb.org
  • risk.manager@bbb.org
  • risk@bbb.org
  • service@bbb.org
  • support@bbb.org