Malicious BBB Certificate Spam
Threat Type: Malicious Web Site / Malicious Code
Websense® Security Labs™ ThreatSeeker™ Network has discovered another round of malicious BBB spam today. The spam contains a spoofed From address to look as if the message was sent by the Better Business Bureau. The message uses social engineering tactics to entice readers to follow a link in the message in order to "register new software and update contact information".
We have seen tens of thousands of these messages coming in since noon today. Also of note is that, from the format of these messages and the resulting links, this looks like it was done by the same group that has been spamming out malicious phishes targeting customers of Bank of America, Wachovia, Royal Bank, and others.
Screenshot of the message:
Clicking on the link takes the victim to a page which looks like the BBB site. The site stresses that a digital certificate should be used while browsing the BBB site. It then provides a prompt to download a file called "TrustedBBBCertificate.exe" which is actually a Trojan Downloader (SHA-1 dcefc1fb912d7bb536de3e66d9c5c6c8465f0790).
Screenshot of the spam link:
When this file is executed, it takes the victim to another Web page, which is hosted on another malicious domain, for the "Certificate Registration". This secondary site also tries to get the victim to download "TrustedBBBCertificate.exe".
Screenshot of web page visited by TrustedBBBCertificate.exe:
Websense Messaging and Web Security Customers are protected against this threat.