Recipients are threatened with account license termination

Jul 20, 2012 11:15 GMT  ·  By

Internauts are advised to be on the lookout for a fake email that purports to come from the American Institute of CPAs (AICPA). The phony notifications are part of a scheme designed to lure unsuspecting users to a hijacked website that serves a piece of malware.

Similar to other scams, the cybercriminals try to create a sense of urgency by threatening the recipient with account license termination if he/she fails to respond within seven days.

The sample identified by Spyware Sucks looks something like this:

Dear accountant officer,

We have been informed of your alleged assistance in income tax refund infringement for one of your employers. According to AICPA Bylaw Section 765 your Certified Public Accountant status can be cancelled in case of the aiding of submitting of a misguided or fraudulent tax return on the member's or a client's behalf.

Please familiarize yourself with the notification below and respond to it within 7 days. The failure to respond within this time-frame will result in termination of your Accountant license.

The link from the message leads to a webpage on a compromised WordPress site that advertises winches. The malicious HTML file attempts to exploit the vulnerability associated with CVE-2010-1885 to push a Trojan onto the computer of the victim.

To ensure that the user doesn’t suspect anything, the webpage displays the following message:

We have received a notice of your recent participation in income tax return fraud for one of your employees. According to AICPA Bylaw Section 700 your Certified Public Accountant status can be withdrawn in case of the fact of submitting of a misguided or fraudulent tax return for your client or employer.

Please be notified below and provide your feedback to it within 21 days. The failure to provide the clarifications within this period will result in cancellation of your Accountant status.

We have urged this particular website’s owner to clean it up. However, in such cases, the cybercriminals are most likely relying on a number of hijacked domains to complete their mission.