Thursday, June 21, 2007

'BBB.org' spearphishing attack

I've seen a number of fake 'BBB.org' emails, spammed to senior positions.

The Better Business Bureau's official site describes the attack.

I attached a cleaned-up copy below, with headers.

The emails contain an attachment, in these cases called 'Document_for_Case.doc'. It's an RTF (Rich Text Format) document that contains a malicious embedded object; here's the beginning of that file:

{\rtf1\ansi\ansicpg1252\deff0\deflang1033{\fonttbl{\f0\fswiss\fcharset0 Arial;}}
{\*\generator Msftedit 5.41.15.1507;}\viewkind4\uc1\pard\f0\fs20 This document contains an embedded object. To open it double-click the icon.\par
\par
{\object\objemb{\*\objclass Package}\objw2325\objh765{\*\objdata
01050000
02000000
08000000
5061636b61676500
00000000
00000000
882e0000
0200446f63756d656e74735f666f725f436173652e70646600433a5c41444f4245527e312e4558


That document scans 'clean' by most virus scanners. On 6/21/2007 Virustotal.com reported that only 9 of their 30 scanners spot it.


This attack may be fairly damaging, given that weak antivirus coverage, the fact that it's a legitimate '.doc' file (typically allowed through internet mail relays, unlike exe's which are sometimes blocked), and due to the fact that it's targeted at a small number of senior users.

Here's the email, somewhat cleaned up. The original was in html format:

Received: from smtp.tele.fi (smtp.tele.fi [192.89.123.25])
by *****.*****.org (Postfix) with ESMTP id 0AAC85F13D4
for <*****@*****.org>; Thu, 21 Jun 2007 09:05:37 -0400 (EDT)
Received: from mailgw.benefon.fi (unknown [194.197.24.10])
by smtp.tele.fi (Postfix) with ESMTP id 38E97AE182
for <*****@****.org>; Thu, 21 Jun 2007 16:05:03 +0300 (EEST)
Received: from localhost.localdomain ([192.83.5.2])
by mailgw.benefon.fi (Lotus Domino Release 5.0.9)
with SMTP id 2007062116045807:59067 ;
Thu, 21 Jun 2007 16:04:58 +0300
From: Better Business Bureaus
Subject: Complaint Case Number 450596111
MIME-Version: 1.0
Date: Thu, 21 Jun 2007 16:04:58 +0300
Message-ID:
Content-Type: multipart/mixed; boundary=38ACD4BC0E5E9B20090A53C405940998
To: undisclosed-recipients:;

Dear Mr./Mrs. ***** *****

You have received a complaint in regards to your business services. The
complaint was filled by Mr. ***** ***** on 6/19/2007

Complaint Case Number: XXXXXXXXXX

Complaint Made by Consumer Mr. ***** *****

Complaint Registered Against: Company ********************

Date: 6/19/2007

Instructions on how to resolve this complaint as well as a copy of the original complaint are attached to this email.

Disputes involving consumer products and/or services may be arbitrated.
Unless they directly relate to the contract that is the basis of this dispute
the following claims will be considered for arbitration only if all parties
agree in writing that the arbitrator may consider them:

- Claims based on product liability;
- Claims for personal injuries;
- Claims that have been resolved by a previous court action, arbitration, or written agreement between the parties.

The decision as to whether your dispute or any part of it can be arbitrated rests solely with the BBB.

The BBB offers its members a binding arbitration service for disputes involving marketplace transactions.

Arbitration is a convenient, civilized way to settle disputes quickly and fairly, without the costs associated with other legal options.

© 2003 Council of Better Business Bureaus, Inc. All Rights Reserved.