Last week, Westfield’s top executives were targeted with a very specific phishing email alleging to be from the Better Business Bureau. As you can see below, this phish uses the BBB’s official logo and colors and follows the format and structure of a legitimate message. When the victim clicks on the "convenient" link in the message, it installs a trojan downloader onto the computer. The downloader then starts loading up the computer with keyloggers, back doors and other spyware. If not caught in time, the hacker will have complete control of the computers of the top executives of the company.
This was not a wide-spread spam attack. The phishers knew exactly who in the company would normally receive these kinds of complaints. They knew the correct names and email addresses of their targeted victims. They also spoofed the return address so the email appears to have come from someone at bbb.com – a registered alternate to their main address, bbb.org. This was a well-crafted phish.
Nevertheless, there are a few clues that this was a phish.
- Float your mouse over the bold blue link in the message BUT DO NOT CLICK THE LINK. Look in the gray bar at bottom left of your computer screen and you should see the link’s destination. In this case, the link goes to http://document-repository.com/redirect.htm?... The BBB’s real website is bbb.org. While there are sometimes legitimate reasons for an organization to use an alternate internet domain, it is more often illegitimate. If you see a mismatch, be very suspicious.
- The case number in the subject line does not match the case number in the body of the message. The odds are that the “case number” in the subject line is a code used by the hacker to see which messages were successful and which were blocked.
- The date of the complaint is 14 May 2007 but the message was sent in late August. Even the BBB isn’t that slow.
If you are an executive or work in close support to an executive, recognize that you are a special target. Hackers know that you have exactly the kind of access and permissions that they most want to target. They believe that you don’t have a lot of time to stay current on technological threats. And they know exactly who you are – with all the automated databases and executive listings, there is no anonymity. Hackers (or anyone else) can by listings with your name, title and email address. See here for an example. And yes, this company requires you to sign a written statement promising to abide by the CAN-SPAM law but the kind of person who will steal credit card numbers, fraudulently register internet domains and send out a phish is probably willing to forge a signature on their form.
Always be suspicious of any unsolicited email asking you for information or to follow a link. Double-check the link before clicking it and never disable your anti-virus and anti-spyware protections.
The image at the bottom of the article worked perfectly when I sent it out in an email newsletter. Unfortunately, when I archived it into this blog, the site’s software doesn’t seem to handle the image mapping properly and the widget I used to make the phish’s links appear to work is failing. Until I can figure out how to get it fixed, please ignore some of the wording above. But remember that floating your mouse over a link is a good way to tell where it’s really pointing.