ACH email scams with malware in attachments continues
Earlier this week there was a drop off of the previous spam run of fake ACH Payment Canceled emails, all loaded with malware inside their attached files. They were replaced by a blast for FDIC scams. Now, the ACH scams have returned, with a vengeance.
The new subject in today's spam blast is: ACH Transfer Review. The forged sender is an account name like this: ach [email protected]. The body text is as follows:Dear Client,
ACH transfer (ID:) is going to be reviewed because of the incorrectly input data
when sending the payment.Important:
Please, fill in the application form attached attentively and send it to us.
After that your transfer will be processed.If you have any questions or comments, contact us at [email protected].
Thank you for using www.nacha.org(NAME REMOVED)
NACHA Risk Management Services
The attached "form" is currently named: "form-62091.zip" and it contains a Trojan Horse (currently Zbot, a.k.a. Zeus) that will infect your computer with malware that intercepts keystrokes when you log into a bank, or other financial organization being targeted by the perpetrators. It then sends your login credentials to the criminals who are renting the botnet, whose member computers are sending these scams to you and everybody else. Some variants of the ACH scams actually install a botnet (currently "Bredolab") controller, which then downloads the other bad stuff to your PC, and possibly to your networked PCs.
The email claims to come from the headquarters of ACH , but, the headers show something different. Look at these three Received from lines, obtained from three different spam emails today:
Received: from [115.118.159.231] (helo=cgorq.com)
Received: from [178.123.157.77] (helo=sqibyat.com)
Received: from [187.117.248.91] (helo=hcyayyax.com)
The IP 115.118.159.231 belongs to TATA Communications, in India. The IP 178.123.157.77 is assigned to The Republic of Belarus. Last, 187.117.248.91 belongs to someone with a hacked computer in Brazil. The real ACH payment system is managed by Nacha.org, a US based company, whose servers are here, in the USA. NACHA stands for: National Automated Clearing House Association
The real NACHA does not send email alerts to individual bank customers. It only deals with the banks and credit unions themselves. Unless you work for a bank, or credit union, you should never ever receive any email from nacha.org (or nacha.us, .net, or .com).
Since February 2011, NACHA has been the victim of sustained and evolving phishing attacks in which consumers and businesses are receiving emails that appear to come from NACHA. The attacks are occurring with greater frequency and increased sophistication. Perpetrators are sending these fraudulent messages to email addresses globally.So, you now have been educated to understand that Nacha will not be sending you any emails concerning any ACH transactions. That can only come directly from the bank, or credit union you deal with, and only if you have actually made or requested a money transfer recently. These scams are actually targeting the people responsible for paying invoices at large companies. Rather then specifically targeting these companies, spammers are blasting these scams out by the billions, across the entire globe.
These fraudulent emails typically make reference to an ACH transfer, payment, or transaction and contain a link or attachment that infects the computer with malicious code when clicked on by the email recipient. The source addresses and contents of these fraudulent emails vary -- with more recent examples purporting to come from actual NACHA employees and/or departments -- and often including a counterfeit NACHA logo and the citation of NACHA's physical mailing address and telephone number.
NACHA itself does not process nor touch the ACH transactions that flow to and from organizations and financial institutions. NACHA does not send communications to persons or organizations about individual ACH transactions that they originate or receive.
I hope that this article saves you, my readers, from allowing curiosity from causing their computers to become infected with the Zeus/Zbot, or the Bredolab, or any other botnet software. When these scam emails arrive, delete them instantly. Don't open them to read the content. Furthermore, make sure you have the best anti-malware/anti-virus protection you can afford, installed and updated frequently, with new definitions located in the "cloud." Trend Micro and Norton Security products both use Cloud definitions to block newly discovered malware threats in the wild. Bother include email scanners to stop you from foolishly infecting your computers by opening malware laden attachments.
Last, if you use MailWasher Pro to block spam and threats before they are downloaded to your email client, I write and publish custom spam filters, several of which detect and delete, or flag ACH, FDIC and other similar malware threats.
If you like this article please share it.
The content on this blog may be reprinted provided you do not modify the content and that you give credit to Wizcrafts and provide a link back to the blog home page, or individual blog articles you wish to reprint. Commercial use, or derivative work requires written permission from the author.