[ISN] Phony BBB email dupes more than 1,400 execs

From: InfoSec News (alerts@private)
Date: Tue May 29 2007 - 22:16:45 PDT


http://www.theregister.co.uk/2007/05/30/bbb_spear_phishing/

By Dan Goodin in San Francisco
30th May 2007

A provider of online security services has uncovered a highly 
sophisticated phishing scheme that has already duped at least 1,400 US 
executives. They were fooled into sending sensitive information in 
response to an email purporting to come from officials at the Better 
Business Bureau.

The ruse starts with an email addressed to a high-ranking company 
executive that claims a customer has recently filed a complaint. The 
email, which is careful to include the proper spelling of both the 
executive and the company, then invites the recipient to review a copy 
of the complaint by clicking on a link.

And according to Joe Stewart, a senior researcher at SecureWorks, plenty 
of executives did just that. It turns out the link installs a malicious 
post logger that transmits all information submitted through Internet 
Explorer to a website controlled by the attackers.

After reverse engineering the rogue browser helper object that attaches 
itself to IE (the malware doesn't work on other browsers), Stewart says 
he was able to locate a site that stored detailed information on some 
1,400 executives who fell for the scam. What he found surprised even 
him.

"When I realized the targeted nature of it and the extent of the data 
they were collecting, I thought: 'Wow that's far and beyond what we've 
seen,'" he said in an interview.

Word of phishing scams spoofing BBB complaint notices has been around 
since at least the beginning of March, when the national organization 
warned [1] of a batch of phony messages bearing its name. The scheme 
Stewart helped uncover has taken that old play to new levels by 
employing two ingeniously evil tactics.

First, as opposed to phishing campaigns that carpet bomb as many members 
as possible of a bank or other organization, the BBB scam is narrowly 
targeted and is aimed at those who are likely to have the most sensitive 
information to lose. No more than one executive of a company is 
targeted, and the email goes to great lengths to get the names of the 
exec and the exec's company correct.

Even execs for security companies have been targeted. Stu Sjouwerman, a 
VP of Marketing for Sunbelt Software, recently got a BBB come-on, 
according to this blog entry [2]. An individual at SecureWorks has also 
been targeted, Stewart said.

And second, the malware, once successfully installed, proves adept at 
lifting especially sensitive information. Social security numbers, 
account numbers, debit card numbers, prescription information and log-in 
credentials that normally would be securely cloaked behind SSL defenses 
are all fair game.

Some of the information contained in the the attackers' online 
repository was more than three weeks old, Stewart said. The service 
provider that hosted the site has since taken it down. The trojan that 
installs the malware is detected by about 80 per cent of the antivirus 
programs available, Stewart estimates. Many programs refer to it as 
"Troj/Iwebho." A Snort signature developed by SecureWorks to detect 
leakage of data from the trojan is available here [3]. ®

[1] http://www.bbb.org/alerts/article.asp?ID=747
[2] http://sunbeltblog.blogspot.com/2007/05/seen-in-wild-extremely-dangerous-better.html
[3] http://www.secureworks.com/research/threats/bbbphish/?threat=bbbphish



_____________________________________________________
Attend Black Hat USA, July 28-August 2 in Las Vegas, 
the world's premier technical event for ICT security 
experts. Featuring 30 hands-on training courses and 
90 Briefings presentations with lots of new content 
and new tools. Network with 4,000 delegates from 
70 nations.   Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on 
June 1 so register today. http://www.blackhat.com



This archive was generated by hypermail 2.1.3 : Tue May 29 2007 - 22:30:21 PDT