So now you’re on LinkedIn: What’s next?

By far the most common theme for malware emails over the last few weeks has been “interbank payment rejected” or similar. The emails refer to a cancelled or rejected interbank transaction and are alternatively from: 

These are all essentially the same: NACHA is the Electronic Payments Association and manages the development, administration, and governance of the ACH Network. The malware has either been attached to the emails or, as in more recent exmaples, has included links that lead to webpages with JavaScript-based malware.

What does any of this have to do with LinkedIn? Not much. But the latest version of the NACHA themed emails features the subject line: “So now you’re on LinkedIn: What’s next?”. This could be:

– designed to increase the open-rate for recipients who might otherwise ignore a “transaction rejected” email

– designed to fool some very primitive spam filter

– a mistake made by the email’s creator

Perhaps the malware distributor who sent this email can enlighten us.


Email text:

The ACH transaction (ID: 90343675941857), recently initiated from your bank account (by you or any other person), was canceled by the other financial institution.

Rejected transfer

Transaction ID: 90343675941857

Reason of rejection See details in the report below

Transaction Report report_90343675941857.doc (Microsoft Word Document)

13450 Sunrise Valley Drive, Suite 100

Herndon, VA 20171