Better Business Bureau Spoofed In Phishing Scam
The agency is warning people of a spoofing scam that is using the Better Business Bureau name and a false e-mail address to lure users to click on links and connect with malicious Web sites.
The Better Business Bureau has found itself tangled up in a phishing attack that is blasting U.S. and Canadian consumers and businesses.
The agency, which is a network of local offices that investigate consumer complaints, issued a statement on its Web site, warning people of a spoofing scam that is using the Better Business Bureau name and a false e-mail address to lure users to click on links and connect with malicious Web sites. A computer system in a Kennesaw, Ga. business on Monday night was compromised, the agency said. The compromised computers were then used to generate thousands of counterfeit messages, claiming to be a complaint filed with the agency.
- Aligning IT with strategic business goals: A proactive approach to managing IT risk to your business
- Finding a Strategic Voice: Insights from the 2012 IBM Chief Information Security Officer Assessment
- Strategy: Building and Maintaining Database Access Control Permissions
- Strategy: How to Conduct an Effective IT Security Risk Assessment
The e-mail has a phony return address of firstname.lastname@example.org and a hyperlink citing a Better Business Bureau complaint case number. The agency gave "DOCUMENTS FOR CASE #263621205" as an example. The links actually direct access to a subdirectory of the hacked firm's Web site where users are asked to download documents related to the complaint.
The download, however, is actually an executable file that is believed to be some form of a computer virus, according to the agency's release.
"All recipients are advised that any e-mail from the email@example.com address is not coming from [the Better Business Bureau] and should be considered counterfeit," the warning says. "The Better Business Bureau strongly encourages recipients of any such message to delete the message immediately without clicking on the "DOCUMENTS FOR CASE" links."
The phishing e-mail return address of firstname.lastname@example.org does not exist and is being spoofed. Spoofing means that an e-mail address is altered to appear as if the message originated from a legitimate source.
Phishing is when hackers send out fraudulent e-mails in attempt to con people into giving up sensitive personal and financial information. Phishing is an increasingly popular tool for hackers and cyber thieves. In January, a California man was found guilty of operating a sophisticated phishing scheme that attempted to dupe thousands of AOL users. It was the first jury conviction under the Can-Spam Act of 2003. He's facing a maximum sentence of 101 years in prison.