Return of ACH Payment Canceled - Email Malware Scams
For the last 2 days I have seen a slowly building spam campaign featuring a previously used trick Subject: "ACH Payment (7 numbers) Canceled." The message body is short and sweet, along the line of the following:
The ACH transaction,
recently initiated from your checking account (by you or any other person),
was canceled by the other financial institution.Rejected transaction
Reason for rejection: See details in the attachment
The "report" is in a double extension file, with a name like: "report_082011-65.pdf.ZIP (ZIP archive, Adobe PDF)" - although future variants may arrive with just a .zip or just a .pdf extension.
The From line is usually: "account manager" (account.manager@nacha.net, or account.manager@nacha.us). You will be getting these sent to every one of your email accounts, should you have multiple accounts, like I do. Domains with email are especially hard hit in today's spam campaigns.
The actual "sender" is a PC in a spam botnet, operating under commands from the Bot Master running this show. All reply-to and From information is forged.
The payload in the current crop of malware in attachments is the "Zeus" aka: "ZBot" keylogger Trojan. The installer may also make the victim's computer a member of the same botnet from which their scam message was sent. This perpetuates and increases the size of the botnet and steals money from victims as they log into banks and payment portals targeted by this Zeus variant.
My advice to recipients of one of these, or future variations of these scams, is to phone you bank, or financial institution and ask them to check your account for problem transactions. Note, there have been some spam campaigns that include a fake contact phone number that actually leads to people hired by the criminals running particular campaigns. So, your safest bet is to look-up the number for your bank, or flip over your debit or credit card and call the number listed on it.
Interestingly, these malware in attachments scams began on August 25, just after the previous run of UPS malware scams ended. No doubt, the same botnet is sending both, rotating subjects and body text and attachment names, via templates downloaded to the zombie computers in the botnet.
I delete all such malware laden spam messages, which are automatically flagged by one or more custom spam filters I write, by my email screening program: MailWasher Pro - (learn about MailWasher Pro here). My advice to you is to delete them on sight, without opening them. Phone your bank if you are worried.
If your bank sends you email messages and alerts about problems, the message will include your proper name. None of these scams include any personal names as salutations. That is red flag number one in all such malware and phishing scams.
Stay alert to scams in spams. Do not open any email attachments out of curiosity. Only open attachments you are expecting, from senders you are expecting them from, and then, only if you have modern, fully updated anti-virus/anti-malware protection running on your computers.
Trend Micro Internet Security products, for home and office users, use in-the-cloud malware definitions that are updated every day, all day, as soon as new or altered strains of viruses and other malware are detected in the wild and analyzed. By offloading the bulk of these ever changing virus definitions to cloud servers, the load on your computers is greatly reduced. All users of Trend security programs are instantly protected from hostile web pages laden with malware exploits and hostile email, by the Trend Micro Smart Protection Network.
This weblog is licensed under a Creative Commons License.The content on this blog may be reprinted provided you do not modify the content and that you give credit to Wizcrafts and provide a link back to the blog home page, or individual blog articles you wish to reprint. Commercial use, or derivative work requires written permission from the author.
