My next class:
Network Monitoring and Threat Detection In-DepthSingaporeNov 18th - Nov 23rd 2024

Your CPA License has not been revoked

Published: 2012-12-10. Last Updated: 2012-12-10 17:48:06 UTC
by Johannes Ullrich (Version: 1)
6 comment(s)

I have been seeing some e-mails hitting my spam traps today, warning me of my revoked CPA license. No, I am not a CPA. But the e-mails are reasonably well done, so I do think some CPAs may fall for them. At least they got the graphics nice and pretty, but the text could be better worded. 

CPA E-Mail Screen Shot

The only clickable link is the "Delation.pdf" (maye that should be deletion?). Upon clicking the link, we are send on the usual malware redirect loop:

The first stop is 

httx://tesorogroup. com/components/com_ag_google_analytics2/taxfraudalert.html

It includes javascript and meta tag redirects to 

httx://eaglepointecondo. co/ detects /denouncement-reports.php

which will test our browser for vulnerable plugins and try to run a java applet. Looks all very "standard". You may want to check your DNS server logs for anybody resolving tesorogroup.com or eaglepointecondo.co . The two host currently resolve to 64.15.152.49 and 59.57.247.185 respectively.

Wepawet does a nice job analysing the obfuscated javascript:

http://wepawet.iseclab.org/view.php?hash=c390cd570069882395e24b7a30abbe64&t=1355160668&type=js

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Keywords: accountants exploit kit
6 comment(s)
My next class:
Network Monitoring and Threat Detection In-DepthSingaporeNov 18th - Nov 23rd 2024

Comments

Just in time, many accounting firms are gearing up for the 2013 tax prep season. Might be good to forward this to IRS, Treasury, FBI.

Taxman

Dec 11th 2012
1 decade ago

Anybody who either has a CPA license or has knowledge of the process should immediately recognize that this is bogus. In the US, state accountancy boards, not the AICPA, have the authority to revoke someone's license.

The AICPA is simply a professional organization. http://www.aicpa.org/About/FAQs/Pages/FAQs.aspx






http://www.aicpa.org/About/FAQs/Pages/FAQs.aspx#aicpa_answer9

Jesse

Dec 11th 2012
1 decade ago

Delation (Law / Legal) = Accusation by an informer.
The term delation has been correctly used by the spammers on the phishing email.

davidparreira

Dec 11th 2012
1 decade ago

Correct wording or not I think the issue is we are getting used to seeing grammar and spelling errors in e-mails and WEB posting. For example Mr. Ullrich stated the following at the end of the article "Upon clicking the link, we are send on the usual malware redirect loop:" Should that not be senT?
I'm guilty of it I know people who are guilty of it and I'm sure you have been guilty of it.

pwobbe

Dec 11th 2012
1 decade ago

And as of *yesterday*, WebSense hadn't flagged either of those websites.

cbob

Dec 11th 2012
1 decade ago

WebSense appears to filter both domains at this point.

Jason R

Dec 11th 2012
1 decade ago

Login here to join the discussion.


Top of page
Diary Archives