More fake BBB spam leading to a malicious payload, this time hosted on the domain sulusize.com on 174.136.4.211 (Colo4, US). The server appears to be a legitimate hacked server, but blocking traffic to that IP is probably a wise idea if you can do it.
Some sample emails (the usual fake BBB approach):
Date: Tue, 23 Jan 2012 11:51:58 +0100
From: “BBB” [info@bbb.org]
Subject: Better Business Bureau service
Attachments: betterbb_logo.jpgAttn: Owner/Manager
Here with the Better Business Bureau would like to inform you that we have received a complaint (ID 23387543) from your customer with respect to their dealership with you.
Please open the COMPLAINT REPORT below to find the details on this question and suggest us about your position as soon as possible.
We hope to hear from you very soon.
Sincerely,
Rebecca Wilcox
Dispute Counselor
Better Business BureauCouncil of Better Business Bureaus
4200 Wilson Blvd, Suite 800
Arlington, VA 22203-1838
Phone: 1 (703) 276.0100
Fax: 1 (703) 525.8277==============
Date: Tue, 23 Jan 2012 12:16:00 +0100
From: “Better Business Bureau” [risk.manager@bbb.org]
Subject: Re: your customer�s complaint ID 83031311
Attachments: betterbb_logo.jpgHello,
Here with the Better Business Bureau notifies you that we have received a complaint (ID 83031311) from one of your customers in regard to their dealership with you.
Please open the COMPLAINT REPORT below to obtain the details on this question and suggest us about your point of view as soon as possible.
We hope to hear from you very soon.
Regards,
Fernando Grodhaus
Dispute Counselor
Better Business Bureau
The malware tries to download further code from sulusity.com on 209.59.220.65 (Endurance International Group, US).. another one to block. A Wepawet analysis is here.
Leave a reply
