by Dave Michmerhuizen & Luis Chapetti – Security Researchers
Malware distributors are always looking to have their programs installed on the desktops of people who handle money. Barracuda Labs has detected a large scale spam campaign that directly targets Certified Public Accountants. The spam poses as an email from the American Institute of CPAs (AICPA) but delivers a dangerous blend of browser attacks and malware.
Fear is often used by spammers as a tactic to get users to click on their links, and for a CPA, a direct accusation of tax return fraud is certainly fear inducing. While a link in the email reads “Complaint.doc”, it actually directs to a compromised wordpress blog.
Clicking on that link brings up a new page which displays some threatening text about participation in income tax return fraud.
The text is a decoy to divert your attention from the attacks that are being delivered to the browser in the background.
A variety of exploits are sent to the browser resulting in the download and installation of Worm.Cridex.E, a password stealer which sets right to work monitoring web traffic and sending any stolen usernames and passwords to a remote server every 20 minutes.
Always treat unsolicited email with suspicion, regardless of how authentic it appears. Spammers go to great lengths to persuade users to click on their links. In this case a quick check with the AICPAs' website would show that these emails are not from the AICPA. We recommend you always check directly with the organization represented in an email rather than take a chance on an embedded link.
Barracuda Networks customers using the Barracuda Spam & Virus Firewall are protected from these emails. Barracuda Web Filters and the Barracuda Web Security Flex service stop the download of this threat.