Fake BBB (Better Business Bureau) Notifications lead to Black Hole Exploit Kit

by

Share this news now.

Cybercriminals have recently launched yet another massive spam campaign, impersonating a rather popular brand used in a decent percentage of social engineering driven email campaigns – the BBB (Better Business Bureau).

Once users click on any of the links in the malicious emails, they’re automatically exposed to the client-side exploits served by the Black Hole Exploit kit.

More details:

Sample screenshot of the spamvertised email:

Email_Spam_BBB_Better_Business_Bureau_Exploits_Malware_Black_Hole_Exploit_Kit

Sample compromised URLs used in the campaign:
hxxp://favemobile.com/wp-content/plugins/zxchhxeoige/betterbusinessrp.html
hxxp://gaming-blogger.com/wp-content/plugins/zokkbualhxe/betterbusinessrp.html
hxxp://gofastco.com/wp-content/plugins/zaoouodkpnx/betterbusinessrp.html
hxxp://williamusmanjr.com/wp-content/plugins/zpihwsvwaeo/betterbusinessrp.html

Sample client-side exploits serving URL:
hxxp://tv-usib.com/detects/property-mass-dollar_figure.php

Malicious domain name reconnaissance:
tv-usib.com – 59.57.247.185 – Email: twine.tour1@yahoo.com
Name Server: NS1.AMISHSHOPPE.NET - Email: solaradvent@yahoo.com
Name Server: NS2.AMISHSHOPPE.NET - Email: solaradvent@yahoo.com

Responding to 59.57.247.185 are also the following malicious domains, part of the campaign’s infrastructure:
africanbeat.net
akbmag.com
atsushitani.com
barcwealth.com
bmsavingsn.com – ACTIVE phishing campaign
eaglepointecondo.biz
eaglepointecondo.info
eaglepointecondo.org
hfeitu.net
incinteractive.net
labpr.com
lloydsbts-offshore.com
sessionid0147239047829578349578239077.pl
winterskyserf.ru

We’ve already seen the same name servers used in the previously profiled ”Fake ‘Citi Account Alert’ themed emails lead to Black Hole Exploit Kit“; “Spamvertised ‘Your Recent eBill from Verizon Wireless’ themed emails serve client-side exploits and malware” campaigns.

Upon successful client-side exploitation, the campaign drops MD5: 2646f13db754654aff315ff9da9fa911 – detected by 30 out of 46 antivirus scanners as Worm:Win32/Cridex.E.

Upon execution, the sample phones back to:
94.73.129.120:8080/rxrt0CA/hIvhA/K66fEB/

Webroot SecureAnywhere users are proactively protected from these threats.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.


Share this news now.
Fake BBB (Better Business Bureau) Notifications lead to Black Hole Exploit Kit by

Trackbacks

  1. [...] We’ve already seen and profiled the same IP in the following malicious campaigns: “Fake ‘Citi Account Alert’ themed emails lead to Black Hole Exploit Kit“; “Spamvertised ‘Your Recent eBill from Verizon Wireless’ themed emails serve client-side exploits and malware“; “Fake BBB (Better Business Bureau) Notifications lead to Black Hole Exploit Kit“. [...]