BBB Scam Changes Social Engineering Ploy

Previous: Detecting BBB/IRS/FTC/Proforma Trojan-Infected Users on Your Network
Next: BBB/IRS Phishes and the Chinese Connection

Jun 14, 2007 by Joe Stewart


Filed under Research category.

Since we first wrote about the BBB phishing emails, we’ve seen variants change from forging BBB complaint letters to false IRS criminal investigation notices to FTC investigation notices. We’re now seeing messages from the same phishing group posing as “Proforma” invoices, now being sent with a Word document attachment (actually MS Word this time, not RTF doc files as in the other BBB/IRS phishing scheme).

The actual email looks like:
———————————————————————————————-
From: accounting@beckman.com
To: [your name]
Sent: Thu Jun 14 10:45:52 2007
Subject: Proforma Invoice for [your company] (Attn: [your name])
[845f3287d35219769d51b892d2509077]

Hello,

The Proforma Invoice is attached to this message. You can
find the file in the attachments area of your email software.

PS: The invoice also includes the cost for the services
provided for the second quarter of 2007.
Please read, evaluate and reply with any comments. Thanks.

Beckman Instruments, Inc.
2500 Harbor Boulevard, E-26-C
Fullerton, CA 92634-3100

MSG ID:
#40fe0d7c683afa8c7ebda09f55ca88b5:a575f05b1e4d358120a5c98881262691
SIGNATURE:
#c2b2595f0b4d12cfde5315dabeeb7bae:3c19c0592a80d229aed41bd11b5ca545
ANTIVIRUS OK: #5fc97adcc79e2c4c46613281deaf3ade
———————————————————————————————-

Of course, the email is not really from Beckman Instruments. Embedded in the .doc file is of course, the iwebho trojan.

We’ve seen around 200 users infected since yesterday, so clearly the social-engineering is working to some extent. While 200 infections may not seem like such a huge number in this day and age of million-zombie botnets, you have to remember that these emails are only being sent to executives/high-level management at companies, meaning most of the targets will be highly profitable for the phisher, instead of the hit-and-miss proposition of targeting home PC users. Of course, SecureWorks Network Intrusion Protection clients are protected from this trojan. And for non-SecureWorks NIP clients, SecureWorks has developed a Snort signature to detect leakage of data from the trojan, which can be found at: http://www.secureworks.com/research/threats/bbbphish

This entry was posted on Thursday, Jun 14, 2007 at 9:00 PM, EDT.

Share This Information | Email Icon Facebook Icon Twitter Icon ShareThis IconShareThis

Add a Comment

By posting you agree to our terms and conditions. All fields are required.

Comment
Your Email:
Your Name:
Your Comments:
Captcha images
Enter Text Displayed :

Next Steps

phonepic Call Us Today
(877) 838-7947

Online Tools

  • Print this Page
  • Share This Resource
  • Sign up for the SecureWorks 'On the Radar' Newsletter

Request Info Now




Subscribe to SecureWorks'
On the Radar Newsletter
Yes     No

Newsletter Signup

* First Name:
* Last Name:
* Email Address:


most popular pages

SecureWorks Blog Topics