Return of fake ACH & invoice emails with malware in attachments
Earlier this week I noted that the spate of fake ACH transaction canceled spam emails had subsided. Well, no time off for crime fighters. They returned today, along with some fake invoices and "changelogs" in spam messages, sent from infected computers in spam botnets.
My email spam-screening program is MailWasher Pro, which uses a combinations of several tactics to determine if an incoming message is good or bad, friend or foe. The program allows users to compose their own spam detection filters, based upon various criteria found in email messages; some hidden, some visible. I write and publish filters for MailWasher Pro users and some of the most effective filters right now are the ones that detect ACH scams and emails with Zip file attachments.
All of the ACH fraud messages, along with the fake invoices and changelogs, contain malware downloaders inside the attached files. Anybody running a Windows computer who misguidedly opens the attached zip file and its enclosed .pdf.exe file, will have a botnet Trojan downloader installed within seconds. This downloader then goes to work, behind the scenes, to download and install other malware, including the infamous Zbot, aka Zeus bank credential stealing Trojan.
The subjects and come-ons used in this latest spam run are listed below, in my extended comments.
ACH Fraud emails:
Varied Subjects:
ACH Payment 19892343 Failed
ACH Payment 93454967 Rejected
ACH NOTIFICATION
Sample of Body Text:
The ACH transaction (ID: 93454967), recently sent from your bank account (by you or any other person), was rejected by the Electronic Payments Association.
Reason of rejection See details in the report below
Transaction Report report_1509.pdf.zip (ZIP archive, Adobe PDF)
2011 NACHA - The Electronic Payments Association
Another ACH Fraud Body Text: Please, be informed that some financial body cancelled your ACH transaction (ID: 44510732), lately started by you or another person from your check account.
Rejected transaction Transaction ID: 8574210513218 Reason for rejection: See details in the attachment Transaction Report: report_082011-65.pdf.exe (self-extracting archive, Adobe PDF)
Fake Invoice and Changelogs:
Subject: Re: FW: End of Aug. Statement
Body Text: Hi, as reqeusted I give you inovices issued to you per sept.Regards
Attachment: Invoices_09.11.11_c.zip
Subject: Re: Changelog 08.23.11
Body Text: Good day, as promised chnglog attached,
Attachment: changelog_09152011_Y2702.zip
Subject: Re: Changelog as promised 08.23.2011
Body Text: Good morning, changelog attached,
Attachment: log_09152011_o75993.zip
Subject: Re: Your Changelog 08.23.2011
Body Text: Hi, as promised changelog,
Attachment: change_09152011_V046.zip
I pray that none of my readers have fallen for these scams. I try my best to keep you aware of email threats targeting innocent Netizens every day, Chance favors the prepared mind. If you make yourselves aware of the nature of these recurring scam email messages and the types of attachments and file names they use, chance will favor you to not become curious enough to open the infected payloads in them. If you pay attention to my warnings and those of other cyber cops, your mind will be prepared to mentally flag these types of scams instantly. You will delete them on sight, or create spam rules to delete them for you. You will avoid becoming another victim of bank account stealing Trojans. Your computer will not become a zombie member of the spam botnet that sends out these fraudulent messages.
On the other hand, if you have opened one of these ACH scams, or a fake invoice, or changelog, or a fake Xerox scanned document (from previous spam runs), your computer (Windows) is most likely botted. You need a really good, legitimate anti malware program to detect, halt and remove the various components of these botnet and banking Trojans and the "rootkit" protecting them. I use and recommend Trend Micro Titanium Internet Security and also, Malwarebytes' Anti-Malware to secure my PC from hostile links and malware in email, and to block malware and viruses from being installed in the first place.
Hint! If you don't routinely receive legitimate email attachments, you can turn off downloading attachments in your email program. In Windows Live Mail (and the old Outlook Express), there is an option under "Options > Safety Options > Security" labeled as follows: Do not allow attachments to be saved or opened that could potentially be a virus." Place a check mark on the left of that option. While you are in the security tab, it is a good idea to also check the option labeled: "Restricted sites zone (More secure)." Then go to the bottom of the page and click Apply, then OK.
If you enable the option to not allow attachments to be opened or saved, and subsequently receive a legitimate attached file, like a photo, or other expected attachment, you can close that email, then return to the Safety Options > Security tab, and uncheck the option "Do not allow attachments to be saved or opened that could potentially be a virus" and apply the change. Open that email again and you will be able to download, view or save the attached file.
If you uncheck that option you should make certain you have top notch security software installed and up to date, and hopefully watching your email for threats.
After you save or view a desired attachment you can re-check the option to disallow this behavior. It's a bit of a hassle, but nowhere near the hassle of getting infected by botnet and banking Trojans, or even fake anti-virus scareware programs.
As I mentioned earlier, I use and recommend MailWasher Pro to screen my incoming POP3 email for spam, scams and virus threats, before downloading anything to my Windows Live Mail email client. Check it out if you haven't already done so.
If you like this article please share it.
The content on this blog may be reprinted provided you do not modify the content and that you give credit to Wizcrafts and provide a link back to the blog home page, or individual blog articles you wish to reprint. Commercial use, or derivative work requires written permission from the author.