Fake BBB (Better Business Bureau) Notifications lead to Black Hole Exploit Kit

by


Cybercriminals have recently launched yet another massive spam campaign, impersonating a rather popular brand used in a decent percentage of social engineering driven email campaigns – the BBB (Better Business Bureau).

Once users click on any of the links in the malicious emails, they’re automatically exposed to the client-side exploits served by the Black Hole Exploit kit.

More details:

Sample screenshot of the spamvertised email:

Email_Spam_BBB_Better_Business_Bureau_Exploits_Malware_Black_Hole_Exploit_Kit

Sample compromised URLs used in the campaign:
hxxp://favemobile.com/wp-content/plugins/zxchhxeoige/betterbusinessrp.html
hxxp://gaming-blogger.com/wp-content/plugins/zokkbualhxe/betterbusinessrp.html
hxxp://gofastco.com/wp-content/plugins/zaoouodkpnx/betterbusinessrp.html
hxxp://williamusmanjr.com/wp-content/plugins/zpihwsvwaeo/betterbusinessrp.html

Sample client-side exploits serving URL:
hxxp://tv-usib.com/detects/property-mass-dollar_figure.php

Malicious domain name reconnaissance:
tv-usib.com – 59.57.247.185 – Email: twine.tour1@yahoo.com
Name Server: NS1.AMISHSHOPPE.NET - Email: solaradvent@yahoo.com
Name Server: NS2.AMISHSHOPPE.NET - Email: solaradvent@yahoo.com

Responding to 59.57.247.185 are also the following malicious domains, part of the campaign’s infrastructure:
africanbeat.net
akbmag.com
atsushitani.com
barcwealth.com
bmsavingsn.com – ACTIVE phishing campaign
eaglepointecondo.biz
eaglepointecondo.info
eaglepointecondo.org
hfeitu.net
incinteractive.net
labpr.com
lloydsbts-offshore.com
sessionid0147239047829578349578239077.pl
winterskyserf.ru

We’ve already seen the same name servers used in the previously profiled “Fake ‘Citi Account Alert’ themed emails lead to Black Hole Exploit Kit“; “Spamvertised ‘Your Recent eBill from Verizon Wireless’ themed emails serve client-side exploits and malware” campaigns.

Upon successful client-side exploitation, the campaign drops MD5: 2646f13db754654aff315ff9da9fa911 – detected by 30 out of 46 antivirus scanners as Worm:Win32/Cridex.E.

Upon execution, the sample phones back to:
94.73.129.120:8080/rxrt0CA/hIvhA/K66fEB/

Webroot SecureAnywhere users are proactively protected from these threats.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.


Trackbacks

  1. [...] We’ve already seen and profiled the same IP in the following malicious campaigns: “Fake ‘Citi Account Alert’ themed emails lead to Black Hole Exploit Kit“; “Spamvertised ‘Your Recent eBill from Verizon Wireless’ themed emails serve client-side exploits and malware“; “Fake BBB (Better Business Bureau) Notifications lead to Black Hole Exploit Kit“. [...]