AhnLab Security Center


Hooked On Phishing By Fake Better Business Bureau


Recently the distribution of a malicious email allegedly from the Better Business Bureau (BBB), a non-profit organization focused on advancing market trust in America, has been confirmed. Users are warned that it contains a familiar Google URL which is shortened to obfuscate redirects. 


The cunningly disguised email supposedly from the BBB is shown in Figure 1. BBB collects and provides business reviews along with handling complaints and disputes between consumers and businesses. Thus, this email is disguised as an automated email to a complaint, informing the recipient that they should reply within the 24 hours. The recipient must then click on the shortened URL to obtain further details. The email avoids suspicion by containing the recipient’s name and the company in the email.  



[Figure 1] Content of the spam email 


When the recipient clicks on the shortened Google URL, they are redirected to a familiar URL starting with www.google.com... as shown in Figure 2, where a .js file is downloaded.



[Figure 2] The redirecting URL and the downloaded .js file


If the recipient opens the downloaded .js file, an ostensible BBB reply form appears as shown in Figure 3. The continuous familiarity in the email content and the attachment helps avoid suspicion from users.  



[Figure 3] Generated .doc file (bait file)


While the recipient is occupied reading the form, this .js file creates a DLL file, disguised as a .txt file. The DLL file deletes itself after creating a script file but the generated script file attempts to access a malicious IP address. 


While many users are aware of how malware is distributed via email attachments, less are aware of URLs. If the recipient’s name and company name are stated in the email, users are more susceptible to click on the URL.


This scam masquerading as a well-known organization such as the BBB is similar to an APT (Advanced Persistent Threat) attack, which uses a variety of intelligence to perform reconnaissance on a target before sending an email ostensibly from a specific company. In addition, a variety of attack techniques have been used, including the use of shortened Google URL and a relevant attachment file to avoid user suspicion. 


In order to avoid harm from evolving cyberattacks, users are warned to be extra vigilant and refrain from clicking on a URL contained in an unidentified email. AhnLab offers applicable responses on this type of attacks, through its major solutions. 


AhnLab’s Advanced Persistent Threat (APT) solution, AhnLab MDS, counters such malware attacks by employing Mail Transfer Agent (MTA) mode. In this mode, AhnLab MDS detects, analyzes, and quarantines potentially malicious emails that contains suspicious URLs, thereby responding effectively not only to advanced spear-phishing email attacks, but also to email-based ransomware.


To learn more about AhnLab MDS, please visit ahnlab.com. 


Also, V3, AhnLab’s anti-malware products, detects the relevant malware as below:

<Alias identified by V3 products>