Sponsored by..

Tuesday, 28 February 2012

NACHA Spam / cgunikqakklsdpfo.ru

A terse version of the familiar NACHA fake spam, leading to malware:

Date:      Mon, 26 Feb 2012 12:16:40 +0530
From:      accounting@victimdomain.com
Subject:      Fwd: ACH and Wire transfers disabled.

Dear Online Account Operator,
Your ACH transactions have been
temporarily disabled.
View details

Best regards,
Security department

The payload is on cgunikqakklsdpfo.ru:8080/img/?promo=nacha which is multihomed (details below). It's pretty easy to search your outbound logs for connection attempts to .ru:8080 if you haven't got filtering enabled.

The list of IPs gets a little shorter every time, but there are still some familiar hosts here: (Steadfast Networks, US) (Colopronto, US) (MVN Systems Ltd, Bulgaria) (Free SAS / ProXad, France) (Optimate-server, Germany) (Bharti Infotel, India) (Slicehost, US) (Slicehost, US) (Slicehost, US) (OVH SAS, France) (Telemax, Peru) (ECSuite, US) (Century Telecom Ltda, Brazil) (Slicehost, US) (Commission For Science And Technology, Pakistan)

A plain list for copy-and-pasting:

No comments: