Wednesday, February 14, 2007

Spoofed (counterfeit) BBB e-mails contains virus

If you get an e-mail from the Better Business Bureau stating you have received complaints don't click on the link to view them.

Annys Shinn (Washington Post) is reporting:

The Better Business Bureau network was the target of a "spoofing" scam yesterday in which thousands of businesses in the United States and Canada received e-mails encouraging them to download what is thought to be a computer virus.

The e-mails, using the name of the 95-year-old network of nonprofit groups that looks into consumer complaints, told businesses that they were the subject of a complaint and included a link to view related documents. Clicking on the link, however, accessed the address book of an infected computer and distributed the counterfeit e-mail to more recipients, said Steve Cox, spokesman for the Council of Better Business Bureaus.

Washington Post article, here.

Wandering to the BBB site to see what they had to say, I found a little more information. Apparently, if you click on the link, it downloads an executable file, believed to contain a virus.

The BBB and others are calling this a phishing attempt, but in phishing the intent is normally to get the user to provide personal, and or financial information to the sender. Since this doesn't seem to be the case, and no one is saying exactly what the executable file (virus) is, this doesn't appear to be phishing.

It will be interesting to see exactly what this executable file does, but some computer viruses (crimeware and malware) download keyloggers, which log a person's keystrokes and are used to steal personal and financial information.

Other computer viruses might turn a computer into a zombie, which allows someone else to use it for their own purposes (sending spam or denial of service attacks). Zombie computers are formed into what is known as botnets (groups of zombie computers), which are used for illicit purposes by their "controller."

You can download a lot of nasty things by clicking on something from someone you don't know. And the people behind it like to spoof well known entities, such as the BBB. Organizations from eBay to the FBI have been spoofed in the past.

Example of spoofed e-mail from the BBB site:

From: operations@bbb.org [mailto:operations@bbb.org]
Sent: Tuesday, February 13, 2007 6:06 AM To: XXXX
Subject: BBB Case #263621205 - Complaint for XXXX

Dear Mr./Mrs. XXXX

You have received a complaint in regards to your business services. The complaint was filled by Mr. XXXX on 02/05/2007/

Use the link below to view the complaint details:

DOCUMENTS FOR CASE #263621205

Complaint Case Number: 263621205
Complaint Made by Consumer Mr. XXXX Complaint
Registered Against: Company XXXX
Date: 02/05/2007

Instructions on how to resolve this complaint as well as a copy of the original complaint can be obtained using the link below:

DOCUMENTS FOR CASE #263621205

Disputes involving consumer products and/or services may be arbitrated. Unless they directly relate to the contract that is the basis of this dispute, the following claims will be considered for arbitration only if all parties agree in writing that the arbitrator may consider them:
- Claims based on product liability;
- Claims for personal injuries;
- Claims that have been resolved by a previous court action, arbitration, or written agreement between the parties.

The decision as to whether your dispute or any part of it can be arbitrated rests solely with the BBB.

The BBB offers its members a binding arbitration service for disputes involving marketplace transactions. Arbitration is a convenient, civilized way to settle disputes quickly and fairly, without the costs associated with other legal options.

2 comments:

Anonymous said...

I received the same email today from the "IRS":

Dear XYZ,

You have received a complaint in regards to your business services .The complaint was filled By Mr. Kevin Ferguson on 05/29/2007/

Complaint Case Number: 875487596
Complaint made By Consumer Mr. Kevin Ferguson
Complaint registered against : - OUR COMPANY
Date: 05/30/2007/
Instructions on how to resolve this complaint as well as a copy of the original complaint are attached to this email.

Disputes involving consumer products and/or services may be arbitrated. Unless they directly relate to the contract that is the basis of this dispute, the following claims will be considered for arbitration only if all parties agree in writing that the arbitrator may consider them:
Claims based on product liability;
Claims for personal injuries;
Claims that have been resolved by a previous court action, arbitration, or written agreement between the parties.

The decision as to whether your dispute or any part of it can be arbitrated rests solely with the IRS.

The IRS offers a binding arbitration service for disputes involving marketplace transactions. Arbitration is a convenient, civilized way to settle disputes quickly and fairly, without the costs associated with other legal options.



© 2007 Council of IRS, Inc. All Rights Reserved.

Anonymous said...

We had the EXACT same thing happen to us today. They had our company name and one of our employees.

We had the IRS letter.