We're seeing some new BBB trojan attacks going around.
This attack method is well-known and has been occurring for months: A high-level executive inside an organization receives an e-mail that mentions a complaint supposedly made to the Better Business Bureau (USA). The e-mail appears to be credible and links to a site in order to download the complaint. The download claims to require IE and ActiveX in order to succeed. Once ActiveX is enabled, the sites drops a backdoor on the system.
The message looks like this:
This would be fairly convincing to most recipients, especially since the real company and individual names are used.
The message links to a page under us-bbb.com (the real BBB site is at us.bbb.org).
The site was running over the weekend, was down today on Monday and then just reappeared — with a modified version of the malware.
If the recipient enables ActiveX, the site sends the system a CAB file which gets automatically installed as Acrobat.exe — and displays this:
In reality, it's just installed a backdoor (which we detect as an Agent variant).