Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: InfoSec Handlers Diary Blog - Your CPA License has not been revoked InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Your CPA License has not been revoked

Published: 2012-12-10
Last Updated: 2012-12-10 17:48:06 UTC
by Johannes Ullrich (Version: 1)
6 comment(s)

I have been seeing some e-mails hitting my spam traps today, warning me of my revoked CPA license. No, I am not a CPA. But the e-mails are reasonably well done, so I do think some CPAs may fall for them. At least they got the graphics nice and pretty, but the text could be better worded. 

CPA E-Mail Screen Shot

The only clickable link is the "Delation.pdf" (maye that should be deletion?). Upon clicking the link, we are send on the usual malware redirect loop:

The first stop is 

httx://tesorogroup. com/components/com_ag_google_analytics2/taxfraudalert.html

It includes javascript and meta tag redirects to 

httx://eaglepointecondo. co/ detects /denouncement-reports.php

which will test our browser for vulnerable plugins and try to run a java applet. Looks all very "standard". You may want to check your DNS server logs for anybody resolving tesorogroup.com or eaglepointecondo.co . The two host currently resolve to 64.15.152.49 and 59.57.247.185 respectively.

Wepawet does a nice job analysing the obfuscated javascript:

http://wepawet.iseclab.org/view.php?hash=c390cd570069882395e24b7a30abbe64&t=1355160668&type=js

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

6 comment(s)
Diary Archives