Your CPA License has not been revoked
I have been seeing some e-mails hitting my spam traps today, warning me of my revoked CPA license. No, I am not a CPA. But the e-mails are reasonably well done, so I do think some CPAs may fall for them. At least they got the graphics nice and pretty, but the text could be better worded.
The only clickable link is the "Delation.pdf" (maye that should be deletion?). Upon clicking the link, we are send on the usual malware redirect loop:
The first stop is
httx://tesorogroup. com/components/com_ag_google_analytics2/taxfraudalert.html
It includes javascript and meta tag redirects to
httx://eaglepointecondo. co/ detects /denouncement-reports.php
which will test our browser for vulnerable plugins and try to run a java applet. Looks all very "standard". You may want to check your DNS server logs for anybody resolving tesorogroup.com or eaglepointecondo.co . The two host currently resolve to 64.15.152.49 and 59.57.247.185 respectively.
Wepawet does a nice job analysing the obfuscated javascript:
http://wepawet.iseclab.org/view.php?hash=c390cd570069882395e24b7a30abbe64&t=1355160668&type=js
------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter
Application Security: Securing Web Apps, APIs, and Microservices | Washington | Dec 13th - Dec 18th 2024 |
Comments
Taxman
Dec 11th 2012
1 decade ago
The AICPA is simply a professional organization. http://www.aicpa.org/About/FAQs/Pages/FAQs.aspx
http://www.aicpa.org/About/FAQs/Pages/FAQs.aspx#aicpa_answer9
Jesse
Dec 11th 2012
1 decade ago
The term delation has been correctly used by the spammers on the phishing email.
davidparreira
Dec 11th 2012
1 decade ago
I'm guilty of it I know people who are guilty of it and I'm sure you have been guilty of it.
pwobbe
Dec 11th 2012
1 decade ago
cbob
Dec 11th 2012
1 decade ago
Jason R
Dec 11th 2012
1 decade ago