Sponsored by..

Wednesday, 25 September 2013

AICPA spam / children-bicycle.net

This fake AICPA spam leads to malware on the domain children-bicycle.net:

From:     Reggie Wilkins [blockp12@clients.aicpa.net]
Date:     25 September 2013 15:03
Subject:     Your accountant license can be cancelled.

You're receiving this email as a Certified Public Accountant and a member of AICPA.
Having trouble reading this email? View it in your browser.

AICPA logo
Cancellation of Accountant status due to tax return fraud allegations
Valued accountant officer,

We have received a complaint about your recent participation in tax return infringement  for one of your employers. According to AICPA Bylaw Subsection 730 your Certified Public Accountant license can be withdrawn in case of the occurrence of filing of a false or fraudulent tax return for your client or employer.

Please familiarize yourself with the notification below and provide your feedback to it within 14 days. The failure to do so within this term will result in cancellation of your CPA license.

Complaint.pdf


The American Institute of Certified Public Accountants.

Email: service@aicpa.org
Tel. 888.777.7077
Fax. 800.362.5066


I haven't seen AICPA themed spam for a long time, but this follows an established pattern. The link in the email goes to a legitimate hacked site and then on to a malware payload at [donotclick]www.aicpa.org.children-bicycle.net/news/aicpa-all.php (report here).. but only if the visitor is running Windows (more of which in a moment).

The domain children-bicycle.net is registered with fake WHOIS details and the pattern of the domain mark it out as belonging to the Amerika gang.
Administrative Name: Jennifer Horvath
Administrative Company: Jennifer Horvath
Administrative Address: 3499 Latitude Cove
Administrative Address: Milton
Administrative Address: GA
Administrative Address: 30004
Administrative Address: US
Administrative Email: mybigben56@yahoo.com
Administrative Tel: +1.7705008444
The payload is hosted on the following IP addresses (all also listed here):
24.111.103.183 (Midcontinent Media, US)
109.71.136.140 (OpWan, France)
184.82.233.29 (Network Operations Center, US)

As I mentioned, the code detects the visitor's OS and only sends the victim to the exploit kit if they are running Windows, others end up at the genuine aicpa.org website (click to enlarge).



Recommended blocklist:
24.111.103.183
109.71.136.140
184.82.233.29
cernanrigndnisne55.net
children-bicycle.net
demuronline.net
fdic.gov.horse-mails.net
fiscdp.com.airfare-ticketscheap.com
horse-mails.net
mails.rererereecils.com
nacha.org.smscente.net
pidrillospeeder.com
protektest.net
rererereecils.com
smscente.net
www.aicpa.org.children-bicycle.net
www.fdic.gov.horse-mails.net
www.nacha.org.demuronline.net
www.nacha.org.smscente.net


No comments: