Cybercriminals are sending out hoards of bogus emails purporting to be from the American Institute of Certified Public Accountants in an attempt to trick certified public accountants into visiting a malicious site to plant malware on their machine.
The email, spotted by internet security researchers at both Webroot and Barracuda Labs, claims that the recipient has been busted for their involvement in income tax fraud and warns that failure to refute the allegations within the allotted timeframe will result in their license being revoked.
That’s a pretty good lie to feed to someone who you want to click before thinking. The legitimate looking HTML layout probably doesn’t help either.
Here’s a copy of the email (note that the wording and number of days given to respond may vary from email to email):
Subject: Your accountant CPA license termination
You are receiving this message as a Certified Public Accountant and a member of AICPA.
Having trouble reading this email? View it in your browser.
Revocation of Public Account Status due to tax return fraud accusations
Dear accountant officer,
We have received a complaint about your alleged assistance in income tax return fraud for one of your employers. According to AICPA Bylaw Section 700 your Certified Public Accountant status can be revoked in case of the occurrence of submitting of a misguided or fraudulent tax return for your client or employer.
Please be informed of the complaint below and respond to it within 14 days. The failure to respond within this time-frame will result in cancellation of your Accountant license.
The American Institute of Certified Public Accountants.
To no surprise, the “Complaint.doc” link in the email leads to a compromised WordPress site that displays a segment of the same speech to the user while the malware attack is silently performed in the background.
Should the attack be successful – which it may very well be if you don’t keep Adobe Flash and/or PDF reader fully patched and run antivirus on your system – then Worm:Win32/Cridex.E will be installed on your PC to partake in evil activities like traffic monitoring, data harvesting, arbitrary file downloading and whatnot.
Any login information grabbed by Cridex will be uploaded to a remote sever controlled by the attackers, which the malware religiously connects to every 20 minutes.
What to Do If You Receive AICPA Spam
If you receive an email similar to the one outlined above, you are advised to:
- Avoid clicking on any of the embedded links.
- Delete the email immediately.
The AICPA is aware of this phishing scheme and they have been in touch with law enforcement.