Friday, 17 February 2012

"Your accountant CPA license termination" spam / biggestsetter.com and 199.30.89.0/24

I haven't seen this spam before, but the malicious payload it leads to is very familiar..

Date:      Fri, 16 Feb 2012 14:35:18 +0200
From:      "Mae Keller"
Subject:      Your accountant CPA license termination.

You're receiving this notification as a Certified Public Accountant and a member of AICPA.
Having trouble reading this email? View it in your browser.

Revocation of CPA license due to income tax fraud allegations

Dear AICPA member,

We have received a complaint about your alleged participation in tax return fraudulent activity� on behalf of one of your employees. According to AICPA Bylaw Section 700 your Certified Public Accountant license can be cancelled in case of� the occurrence of filing of a misguided or fraudulent income tax return on the member's or a client's behalf.�

Please familiarize yourself with the notification below and respond to it within 7 days. The failure to provide the clarifications within this term will result in withdrawal of your Accountant license.

Complaint.pdf

The American Institute of Certified Public Accountants.

Email: service@aicpa.org
Tel. 888.777.7077
Fax. 800.362.5066

Although it claims to be from "The American Institute of Certified Public Accountants" (aicpa.org), the "from" address claims to be the BBB.

Click on the "complaint.pdf" link and you are redirected to biggestsetter.com/search.php?page=73a07bcb51f4be71  which attempts to download the Blackhole Exploit Kit. biggestsetter.com  is hosted on 199.30.89.187 (Zerigo / Central Host Inc). This netblock has been used several times in the past few days so my advice is to block access to 199.30.89.0/24.

Some more examples:

Date:      Fri, 16 Feb 2012 14:40:46 +0100
From:      "Susie Smallwood"
Subject:      Termination of your accountant license.

You're receiving this email as a Certified Public Accountant and a member of AICPA.
Having trouble reading this email? View it in your browser.

Termination of CPA license due to tax return fraud accusations

Dear AICPA member,

We have been notified of your recent assistance in income tax refund fraud on behalf of one of your clients. According to AICPA Bylaw Section 600 your Certified Public Accountant status can be withdrawn in case of the occurrence of submitting of a misguided or fraudulent income tax return on the member's or a client's behalf.

Please familiarize yourself with the complaint below and respond to it within 7 days. The failure to respond within this term will result in cancellation of your Accountant license.

Complaint.pdf

The American Institute of Certified Public Accountants.

Email: service@aicpa.org
Tel. 888.777.7077
Fax. 800.362.5066

===============

Date:      Fri, 16 Feb 2012 14:25:24 +0100
From:      "Alvaro Best"
Subject:      Tax return fraud notification.

You're receiving this message as a Certified Public Accountant and a member of AICPA.
Having trouble reading this email? View it in your browser.

Revocation of Public Account Status due to tax return fraud allegations

Dear accountant officer,

We have been notified of your possible participation in income tax return fraudulent activity for one of your clients. According to AICPA Bylaw Section 700 your Certified Public Accountant status can be cancelled in case of the act of submitting of a misguided or fraudulent income tax return for your client or employer.

Please find the complaint below below and respond to it within 14 days. The failure to provide the clarifications within this period will result in withdrawal of your Accountant status.

Complaint.doc

The American Institute of Certified Public Accountants.

Email: service@aicpa.org
Tel. 888.777.7077
Fax. 800.362.5066

===============

Date:      Fri, 16 Feb 2012 14:21:48 +0100
To:      
Subject:      Fraudulent tax return assistance accusations.

You're receiving this notification as a Certified Public Accountant and a member of AICPA.
Having trouble reading this email? View it in your browser.

Termination of CPA license due to income tax fraud allegations

Dear AICPA member,

We have received a complaint about your possible assistance in tax return fraudulent activity on behalf of one of your employers. According to AICPA Bylaw Section 500 your Certified Public Accountant license can be withdrawn in case of the fact of submitting of a incorrect or fraudulent tax return for your client or employer.

Please find the complaint below below and respond to it within 21 days. The failure to respond within this period will result in withdrawal of your CPA license.

Complaint.doc

The American Institute of Certified Public Accountants.

Email: service@aicpa.org
Tel. 888.777.7077
Fax. 800.362.5066

5 comments:

GilbertTwins said...

I received one that had the Trojan infection available at a restaurant web site in NYC... http://ginosbayridge.com

I've notified the owner on Facebook, but they could care less, just deleted my message. Someone had access to their server in order to place the infected file there.

Teeblog said...

Interesting - I received this same one today. Even weirder, it was sent to a tagged email address of mine... I tag all email addresses I give to any group or organization with who will be sending it.

The email I received like this was tagged with the email address my bank has for me, although it is an older version of this email address.

This leads me to believe that email addresses were sold, stolen or in some other way escaped the grasp of my financial institution. A bit scary...

- T

Teeblog said...
This comment has been removed by the author.
Conrad Longmore said...

@GilbertTwins - the first stage in the infection is always a hacked legitimate site, then you usually get redirected to another hacked site before ending up on the evil site with the malware on. There are certainly hundreds of hacked sites being abused this way.

@Teeblog - worrying indeed. These addresses are often taken from infected PCs rather than servers. It could be that a PC at your bank is infected.

Teeblog said...

@Conrad Longmore - hmm, I always forget about that possibility. I went to my bank today and mentioned it to them, and they said there had been no reported security breach; your explanation would make more sense.

I used to be employed at my bank (I'm a software developer), and we had access to plenty of real customer data. I'm sure there was a lot of it sitting around on many employees' desktops.