Thursday, August 2, 2012

AICPA Spam Threatens to Revoke License, Launches Malware Attack

AICPACybercriminals are sending out hoards of bogus emails purporting to be from the American Institute of Certified Public Accountants in an attempt to trick certified public accountants into visiting a malicious site to plant malware on their machine.

The email, spotted by internet security researchers at both Webroot and Barracuda Labs, claims that the recipient has been busted for their involvement in income tax fraud and warns that failure to refute the allegations within the allotted timeframe will result in their license being revoked.

That’s a pretty good lie to feed to someone who you want to click before thinking. The legitimate looking HTML layout probably doesn’t help either.

Here’s a copy of the email (note that the wording and number of days given to respond may vary from email to email):

AICPA Spam Malware Attack
Image Credit: Barracuda Labs

Subject: Your accountant CPA license termination

You are receiving this message as a Certified Public Accountant and a member of AICPA.
Having trouble reading this email? View it in your browser.

Revocation of Public Account Status due to tax return fraud accusations

Dear accountant officer,

We have received a complaint about your alleged assistance in income tax return fraud for one of your employers. According to AICPA Bylaw Section 700 your Certified Public Accountant status can be revoked in case of the occurrence of submitting of a misguided or fraudulent tax return for your client or employer.

Please be informed of the complaint below and respond to it within 14 days. The failure to respond within this time-frame will result in cancellation of your Accountant license.


The American Institute of Certified Public Accountants.

Tel. 888.777.7077
Fax. 800.362.5066

To no surprise, the “Complaint.doc” link in the email leads to a compromised WordPress site that displays a segment of the same speech to the user while the malware attack is silently performed in the background.

Should the attack be successful – which it may very well be if you don’t keep Adobe Flash and/or PDF reader fully patched and run antivirus on your system – then Worm:Win32/Cridex.E will be installed on your PC to partake in evil activities like traffic monitoring, data harvesting, arbitrary file downloading and whatnot.

Any login information grabbed by Cridex will be uploaded to a remote sever controlled by the attackers, which the malware religiously connects to every 20 minutes.

What to Do If You Receive AICPA Spam

If you receive an email similar to the one outlined above, you are advised to:

  • Avoid clicking on any of the embedded links.

  • Delete the email immediately.

The AICPA is aware of this phishing scheme and they have been in touch with law enforcement.

Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet, “Like” us on Facebook or add us to your circle on Google+

No comments:

Post a Comment