Date: Wed, 24 Jan 2012 13:31:58 +0100
From: "email@example.com" [firstname.lastname@example.org]
Subject: ACH transfer pending
Dear Sir or Madam,
This message includes a notification about the ACH debit transfer sent on your behalf, that was held by our bank:
Transaction ID: 471209863177939
Transaction status: pending
In order to resolve this matter, please review the transaction details using the link below as soon as possible.
The link in the spam routes through a couple of hacked sites to a malicious payload at chillestruct.com on 22.214.171.124 (Zerigo Inc, California) and closteation.com on 126.96.36.199 (Endurance International, Massachusetts). Wepawet reports are here and here.
Blocking the IPs will prevent any other malicious sites on those servers from causing problems.