The NJCCIC observed phishing campaigns claiming to be from the Better Business Bureau (BBB) and targeting business owners in an attempt to deliver Ursnif data-stealing malware to potentially gain remote access, exfiltrate data, and deploy ransomware. The BBB also warned of similar scams. The sender’s name displays “Better Business Bureau;” however, the sender’s email address does not reference BBB and is from various non-US top-level domains (TLD). The emails contain BBB branding, and the subject line displays “Company Complaint” followed by random letters and numbers, purporting to be legitimate complaints against the target’s business. The emails appear generic and convey that specific details of the complaint are available for review and signing in a linked document via the Review Documents button. If clicked, the target is directed to a geofenced BBB DocuSign eSignature landing page requiring the completion of a CAPTCHA. Once the CAPTCHA is solved, a ZIP file is downloaded containing a large shortcut that uses the Certutil command-line program to decode and run an HTA file found in the shortcut file. This HTA file connects to a C2 server to search for the correct key to validate if the script is permitted to continue running. If the response is correct, the HTA file will produce two files: a PDF file to display the BBB content to the target and a DLL file that ultimately launches Ursnif in the background.

The NJCCIC recommends users and organizations educate themselves and others on these continuing threats and tactics to reduce victimization. Users are advised to refrain from responding to unsolicited communications, clicking links or opening attachments from unknown senders, and exercise caution with communications from known senders. If unsure of the legitimacy, contact the sender via a separate means of communication, such as by phone, before taking action. Additionally, visit websites directly by manually typing the legitimate URL into a browser and refrain from navigating to online accounts via links delivered in emails. Phishing emails and other malicious cyber activity can be reported to the FBI Internet Crime Complaint Center (IC3) and the NJCCIC.

For any further questions, contact us here at Cyber Command.