By Dancho Danchev
Certified public accountants, beware what you click on!
Cybercriminals are currently spamvertising millions of emails impersonating AICPA (American Institute of Certified Public Accountants) in an attempt to trick users into clicking on the client-side exploits and malware serving links found in the emails.
Screenshot of the spamvertised email:
Upon clicking on the links found in the malicious email, the following bogus “Page loading…” page is displayed:
Spamvertised URL: hxxp://thewebloan.com/wp-includes/notice.html
Client-side exploits serving URLs parked on the same IP (126.96.36.199) – hxxp://jeffknitwear.org/main.php?page=8614d3f3a69b5162; hxxp://lefttorightproductservice.org/main.php?page=4bf5d331b53d6f15
Client-side exploits serving domains responding to the same IP: toeplunge.org; teloexpressions.org; historyalmostany.org
Client-side exploits served: CVE-2010-1885
Detection rate for a sample redirection script with MD5: fa9daec70af9ae2f23403e3d2adb1484 is detected by 4 out of 42 antivirus scanners as Trojan.Script!IK; JS/Iframe.W!tr
Upon successful client-side exploitation, the campaign drops MD5: b00af54e5907d57c913c7b3d166e6a5a on the affected hosts. It’s currently detected by 29 out of 41 antivirus scanners as Trojan.PWS.YWO; Trojan-Dropper.Win32.Dapato.bmtv
Webroot SecureAnywere users are proactively protected from this threat.