By Dancho Danchev

Certified public accountants, beware what you click on!

Cybercriminals are currently spamvertising millions of emails impersonating AICPA (American Institute of Certified Public Accountants) in an attempt to trick users into clicking on the client-side exploits and malware serving links found in the emails.

More details:

Screenshot of the spamvertised email:

Upon clicking on the links found in the malicious email, the following bogus “Page loading…” page is displayed:

Spamvertised URL: hxxp://thewebloan.com/wp-includes/notice.html

Client-side exploits serving URLs parked on the same IP (221.131.129.200) - hxxp://jeffknitwear.org/main.php?page=8614d3f3a69b5162; hxxp://lefttorightproductservice.org/main.php?page=4bf5d331b53d6f15

Client-side exploits serving domains responding to the same IP: toeplunge.org; teloexpressions.org; historyalmostany.org

Client-side exploits served: CVE-2010-1885

Detection rate for a sample redirection script with MD5: fa9daec70af9ae2f23403e3d2adb1484 is detected by 4 out of 42 antivirus scanners as Trojan.Script!IK; JS/Iframe.W!tr

Upon successful client-side exploitation, the campaign drops MD5: b00af54e5907d57c913c7b3d166e6a5a on the affected hosts. It’s currently detected by 29 out of 41 antivirus scanners as Trojan.PWS.YWO; Trojan-Dropper.Win32.Dapato.bmtv

Webroot SecureAnywere users are proactively protected from this threat.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.