Updated: NACHA Payment cancelled – scam continues

In February 2011, NACHA alerted the public about fraudulent emails being distributed that appeared to be sent from NACHA and signed by a non-existent NACHA employee. We reported this campaign back in June 2011 but it has come back in the past 2 weeks with a new twist to trick the users into opening a malicious executable. The email (shown below) includes a URL link to “the report”.  

Email text

The ACH transaction (ID:———), recently initiated from your checking account (by you or any other person), was cancelled by the other financial institution.

Rejected transaction

Transaction ID: ———-

Transaction Report: www.nacha.org/reports/index.php?number=——-

Clicking the link doesn’t lead to “nacha.org/reports/index.php” but to the malicious site which prompts for the download of an executable file as seen below.

We detect the downloaded file “report_270918123.pdf.exe” as W32/Zbot.BDD. This variant of zbot uses pseudo-random domain names and attempts connections with each to download a configuration file as seen below. This malware focuses on stealing sensitive financial data (email credentials, online banking login details, etc.).

The IP addresses above belongs to Dankon Ltd. in Russia. We recommend blocking the following range of IP addresses “193.27.246.0 – 193.27.247.255” which belongs to Dankon Ltd.

NOTES:

According to NACHA.org, NACHA itself does not process nor touch the ACH transactions that flow to and from organizations and financial institutions. NACHA does not send communications to individuals or organizations about individual ACH transactions that they originate or receive. So don’t be fooled by this ACH transaction email scam.

Update:

A new variant of the downloaded NACHA file uses Adobe Flash Exploit – CVE-2011-0611 and Java Plugin LaunchJNLP DocBase Exploit – CVE-2010-3552 to be able to download and execute a binary file from the URL “hxxp://brightnix.com/w.php?f=21&e=8”. We detect this malware as W32/Zbot.BDD.

Updating Adobe Flash Player and JAVA Plugin to their latest versions will protect you against this threat.

We recommend blocking the IP addresses 67.195.140.36 and 194.219.29.139.