Cybercriminals are currently spamvertising a malicious email campaign that’s designed to trick you into clicking on a bogus complaint.pdf link which ultimately leads to client-side exploits and malware.
The campaign is launched by the same gang that launched the “Spamvertised ‘Termination of your CPA license’ ” malicious campaign last month.
More details:
Spamvertised subjects: Your accountant license can be revoked; Rejection of your tax appeal; Fraudulent tax return assistance accusations; Tax return fraud notification; Internal Revenue service notification; Income tax return fraud accusations
Spamvertised message: We have received a complaint about your possible participation in income tax refund infringement on behalf of one of your clients. According to AICPA Bylaw Paragraph 765 your Certified Public Accountant status can be revoked in case of the aiding of submitting of a misguided of fraudulent tax return on the member’s or a client’s behalf.
Please familiarize yourself with the complaint below and provide your feedback to it within 14 days. The failure to provide the clarifications within this term will result in withdrawal of your CPA license.
Spamvertised URL: hxxp://www.inductiveminds.com/wp-includes/aic.html
Upon clicking on the link, end and corporate users are exposed to a mix of client-side exploits that ultimately drop malicious software on the targeted hosts. In this case, the campaign attempts to exploit Libtiff integer overflow in Adobe Reader and Acrobat (CVE-2010-0188), and Help Center URL Validation Vulnerability (CVE-2010-1885), ultimately dropping malware with MD5:0e8ca3f42bc4cc8df8acccb8a4d4af67.
Avoid interacting with these emails. Report them as malicious as soon as possible, and also ensure you’re using the latest version of your third-party software and browser plugins when you browse the Web.
You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on Twitter.
I had received a similar email before but i was not aware of what you shared above… thanks..
I have been following the Webroot blog for a while now and am curious to know if we are using third party applications and plugins such as Adobe are these limited by the ability to execute Javascript. Can’t we simply disable support for Javascript and avoid infection? I have yet to see a single PDF that would require Javascript to function.
I am confused how can spammers have access to these kind.. maybe there should be log ins for these types of accounts