Wednesday, February 06, 2008

A clever, targeted email/web scam with a nasty sting

Steve Kirsch sent me an interesting message he'd received from [email protected] (i.e. an email address from the Better Business Bureau) containing an apparent complaint from a customer submitted through the BBB. The email itself was actually sent from a BellSouth ADSL line (i.e. almost certainly a zombie machine). The address was not authorized to send as according to BBB's SPF records.

But the content of the email message is very interesting. Here's a screenshot:

Notice how the email contains the correct address for Steve, his name and the name of his company and thus appears to be a real complaint. The link below the complaint, where you can get full details, is the first of two nasty stings in this message.

The actual URL is:

i.e. the link actually goes to the BBB's own web site (making it seem even more likely that this is a genuine message). The link manipulates the search option on the BBB web site using the lnk parameter to perform a redirect to which in turn redirects to And it's on that, presumably hacked, site that the real scam starts.

If you are not using Microsoft Internet Explorer you'll be presented with the following web page:

Once you've upgraded you get told that the web site requires the "Adobe Acrobat ActiveX" control and you need to install it.

The control itself is embedded using the following code:

<object classid="clsid:D68E2896-9FD9-4b70-A9AE-CCDF0C321C45" height="0" width="0" codebase=""></object>

Notice how instead of pointing to Adobe's web site to get the control it's available locally as So when you follow the instructions you download and install an ActiveX control from the scammer web site.

Once you've done that you get told that in fact the customer has withdrawn their complaint and there's nothing to worry about:

Now for the second sting. There must be something about this ActiveX control that's malicious... the scammer didn't go to all that trouble for nothing. But none of the current anti-virus programs report any problems with the file.

For example, my Sophos anti-virus says nothing, and online scanners such as Kaspersky's say that it's clean:

So, perhaps the file really is clean, but I suspect that this is a new threat which isn't currently detected by anti-virus. I'll post again when I get a response from Sophos' anti-virus brainiacs. Perhaps, I'm wrong but be very wary of these mails.

Further information about BBB related scams on their web site.

UPDATE: McAfee WebImmune tells me that this is a new detection of the SpyWare which steals information about your web surfing.

UPDATE: A scan using VirusTotal shows that very few anti-virus programs are detecting this (although their version of Kaspersky is finding it---curious that the online Kaspersky scanner does not).

Labels: ,


Blogger Rob Mueller said...

I saw this scammer recently trying to send these emails through our service ( I ended up adding a bunch of blocking rules (that they tried a few times to work around) to stop them, and then alerted the site ([email protected]) about the problem with their URL (see below)

Annoyingly they still don't seem to have fixed it. The email below was sent Dec 18, 2007.

This seems quite a sophisticated scam that's very easy to fall for. Rather a worry who is behind this...


This phisher was trying to use our service ( to send scam emails. I've installed a number of blocks now to catch these emails, but they're pretty persistent in what they're trying!

1. They've signed up from many random IP addresses, so clearly have access to lots of open proxies/trojan machines
2. They're emails are coming from lots of random IP addresses as well, so clearly also access to torjaned machines
3. They're using lots of different credit cards, so clearly have access to lots of stolen credit cards

The biggest concern, they're now using your site as a way to bounce to an external URL!

That looks like it's a URL to your site, but actually it sends you to the external site there. You need to fix up your site so it can't be used to bounce to external URLs.

11:26 PM  
Blogger Jon G said...

fyi, the F-Secure blog frequently posts about such scams. In fact, for a second I thought I was reading an entry off their blog. You might want to try contacting them. :)

2:55 PM  
Blogger Nick said...

Such finely targeted BBB scams of this general nature have been running for a while now, but the use of the redirector on the real BBB site is an interesting twist here.

Fortunately, it seems that the BBB has fixed that redirector.

However, the download site ( is still live. There really is a Kola Fitzpatrick Solicitors and their listed address (according to multiple results in a Google search) is as listed on that web site, but the whois data for the domain looks decidedly bogus. Anyone in/near London want to call the real Kola Fitzpatrick and ask if they know anything about the malware download domain/site??

If KF really has registered that domain, they should do something about getting their site/hosting fixed, and if not, we should do something about having the domain axed. The fact that the domain is still there and that the malware it hosts appears to be being updated (I just downloaded it and the server says "Last-Modified: Wed, 13 Feb 2008 15:19:31 GMT" and only three of more than 25 virus detection engines I tested detect it) suggests that this is still being actively used by the scammer and thus it is presumably "successful' by the scammer's metric.

11:40 PM  
Blogger Roger said...

Excellent writeup. My CEO got the same email around the same date. After finally getting ahold of the headers I was performing the same analysis and found your site when googling the clsid.

The IP our message came from was an open relay on bell south. The IP is assigned to a pharmacy spammer by bell south. I think the open relay is supposed to be plausible deniability.

3:34 AM  

Post a Comment

Links to this post:

Create a Link

<< Home