ACH email scams now using links to malware exploit sites
Over the last couple of weeks there has been a huge spam run with fake ACH canceled transaction notices, all of which came with malware inside attached files. Recipients were urged to open these files to read the failed transaction report. Effective 9/26/11, the same message text is being re-used, with the exception of how the victim is supposed to read the "Transaction Report."
Now, instead of send malware directly as attached files, the criminals behind this scam are providing links to read the "Transaction Report" at the "Nacha.org" website. At least, that is what the links show to the casual observer. If one hovers over these links they learn that the destination is not nacha.org, but a totally different website name. All of the domain names used in the spam run I saw today (9/26/2011) were registered today, with a company calling itself: MELBOURNE IT, LTD. D/B/A INTERNET NAMES WORLDWIDE. Most of the domains are not resolving at this time, but at least one is. That malware serving site is at na-chas-data-info DOT com (do not go there with a standard browser!).
Upon landing on this still active website, hosted on Yahoo.com, they see a fake "NACHA - ACH Transfer Rejected" titled page. Unknown to the victim, a hidden iframe is hijacking the browser away from that fake notice to a server that attacks the browser with the BlackHole Exploit Kit. That server is at: "huntcheerful.com" - hosted at p8p.geo.vip.sp2.yahoo.com.
UPDATE:
As I was typing this the malware account at huntcheerful.com began serving a 503 Service Unavailable notice. I guess that somebody at Yahoo finally read my SpamCop reports against this domain.
It appears that the six domains I reported earlier today have all been taken offline. However, the people behind this scam will keep registering new cheap domain names and will continue to abuse legitimate web hosts to serve malware to as many people that they can trick into clicking on those links.
To protect yourself, your family, and or employees, inform them that the US NACHA organization does not ever contact the public about any failed "ACH" transactions. Neither does anything going by the name ACH ever contact people whose transactions didn't go through. Only your bank will contact you if your check, deposit, or money transfer fails.
Any email about a failed ACH transaction, not coming from your known bank, is a fake and a scam and should be deleted on sight. If someone at your business receives such a notice and isn't sure if it is legitimate, call your bank and ask if a recent transaction has failed, or been canceled by the other party. In 99% of the calls they will tell you no such thing has occurred.
You can add a layer of protection to your email users by creating rules that block all emails claiming to be sent from nacha.net, nacha.org and nacha.us. If you are able to create wildcard rules, block all email from any address at nacha.anything. The email screening program MailWasher Pro, which I use, utilizes regular expressions to blacklist email senders, based on what is listed in the "From" field. The rule I use to block anything from any sender @ nacha.anything is: +@nacha.+
In addition to using blacklisted senders, MailWasher also uses custom filters, which I happen to publish for others to use. A couple of my MailWasher filters already detect, flag and or auto-delete these scams.
For those who have not yet seen these ACH scam emails, here is what one contains in the subject and viewable message body.
Subject:
ACH Payment 6911592 Canceled
From:
"ach 01" <[email protected]>
Body Text:
ACH Payment CanceledThe ACH transaction (ID:21414767 ),
recently initiated from your checking account (by you or any other person),
was canceled by the other financial institution.Rejected transaction
Transaction ID: 21414767Transaction Report: www.nacha.org/reports/index.php?number=21414767
13450 Sunrise Valley Drive, Suite 100 Herndon, VA 20171 (703)561-1100
2011 NACHA - The Electronic Payment Association
The link shown above is just what the authors want you to see. The actual link led to: na-chas-data-info.com - which has just been taken offline. Hopefully, you were not one of the victims of this malware attack.
If you or your relative, or employee did click on that link, or a similar link, consider their computer to be botted and Trojanized. It should be taken offline and disinfected with the best anti malware program you have, or can afford.
If you like this article please share it.
The content on this blog may be reprinted provided you do not modify the content and that you give credit to Wizcrafts and provide a link back to the blog home page, or individual blog articles you wish to reprint. Commercial use, or derivative work requires written permission from the author.