Sure enough, I came back from my morning meetings to find 150 copies of the newest Zeus distribution campaign. The new campaign pretends to be the National Automated Clearing House Association (NACHA), which is the group that manages the relationships between participating financial institutions. During the 3rd Quarter of 2009, they report that they brokered 3.77 billion transactions worth more than $7.3 trillion. I was observing this morning that the criminals know more about our financial networks than the average banking consumer who probably doesn't understand what NACHA is or how the organization works. When I shared this thought with Brian Krebs today, he commented "I assure you that the comptrollers of the companies being targeted by these criminals know who NACHA is!" (Krebs is the author of the Washington Post's Security Fix column, and a leader in researching this family of attacks.
In this case, the spam subject lines are:
Please review the transaction report
Rejected ACH transaction
Rejected ACH transaction, please review the transaction report
Unauthorized ACH transaction
Unauthorized ACH Transaction Report
Your ACH transaction was rejected
Your ACH transaction was rejected by The Electronic Payments Association
Sender names used in the spam, all with the email support@nacha.org, included:
ACH Network
Automated Clearing House (ACH)
Electronic Payments Association
NACHA
nacha.org
National Automated Clearing House Association
The email message itself reads:
Dear bank account holder,
The ACH transaction, recently initiated from your bank account (by you or any third party), was rejected by the Electronic Payments Association. Please review the transaction report by clicking the link below:
Unauthorized ACH Transaction Report
------------------------------------------------------------------
Copyright ©2009 by NACHA - The Electronic Payments Association
The website to which you are directed looks like this:
The Transaction Report is described on the website as a "self-extracting, pdf format" file, but is of course really a zbot infector.
The current version of the file is:
File size: 123392 bytes
MD5 : f8150d384940a3ddd24fa5333be0162b
A full Virus Total report is also available, showing 16 of 41 AV companies detecting this version of the malware.
The websites that we are seeing so far on this attack are . . .
nacha.org.corefirstid.com
nacha.org.corefirstid.eu
nacha.org.corefirstid3.com
nacha.org.corefirstid4.com
nacha.org.corefirstid5.com
nacha.org.corefirstid8.com
nacha.org.fffazsa.co.uk
nacha.org.fffazsa.me.uk
nacha.org.fffazsa.org.uk
nacha.org.fffazsf.co.uk
nacha.org.fffazsf.me.uk
nacha.org.fffazsf.org.uk
nacha.org.fffazss.co.uk
nacha.org.fffazss.me.uk
nacha.org.fffazss.org.uk
nacha.org.fffazsx.co.uk
nacha.org.fffazsx.me.uk
nacha.org.fffazsx.org.uk
nacha.org.fstpproid01.com
nacha.org.fstpproid02.com
nacha.org.fstpproid03.com
nacha.org.fstpproid04.com
nacha.org.fstpproid08.com
nacha.org.fstpproid09.com
nacha.org.fstpproid10.com
nacha.org.fstpproid12.com
nacha.org.fstpproid15.com
nacha.org.modsftp01.com
nacha.org.modsftp03.com
nacha.org.modsftp04.com
nacha.org.modsftp05.com
nacha.org.redaczxj.co.uk
nacha.org.redaczxj.me.uk
nacha.org.redaczxj.org.uk
nacha.org.redaczxk.co.uk
nacha.org.redaczxk.me.uk
nacha.org.redaczxk.org.uk
nacha.org.redaczxm.co.uk
nacha.org.redaczxm.me.uk
nacha.org.redaczxm.org.uk
nacha.org.redaczxn.me.uk
nacha.org.redaczxn.org.uk
nacha.org.redaczxs.co.uk
nacha.org.redaczxs.me.uk
nacha.org.tttteacb.co.uk
nacha.org.tttteacb.me.uk
nacha.org.tttteacb.org.uk
nacha.org.tttteacf.co.uk
nacha.org.tttteacf.me.uk
nacha.org.tttteacg.co.uk
nacha.org.tttteacg.org.uk
nacha.org.tttteack.co.uk
nacha.org.tttteack.me.uk
nacha.org.tttteack.org.uk
nacha.org.tttteacx.co.uk
nacha.org.tttteacx.me.uk
nacha.org.tttteacx.org.uk
nacha.org.tyeen.me.uk
nacha.org.tyeep.me.uk
No comments:
Post a Comment