From: "Олег.Тихонов@direct.nacha.org" [mailto:firstname.lastname@example.org]The malicious payload is at [donotclick]mgithessia.biz/closest/repeating-director_concerns.php although I am having difficulty resolving that domain, however it appears to be on 18.104.22.168 (Hetzner, Germany) and the payload looks something like this.
Sent: 27 March 2013 03:25
Subject: Disallowed Direct Deposit payment
To whom it may concern:
We would like to inform you, that your latest Direct Deposit via ACH transaction (Int. No.989391803448) was cancelled,because your business software package was out of date. The details regarding this matter are available in our secure section::
Click here for more information
Please consult with your financial institution to obtain the updated version of the software.
ACH Network Rules Department
NACHA - The Electronic Payments Association
11329 Sunrise Valley Drive, Suite 865
Herndon, VA 20172
Phone: 703-561-1927 Fax: 703-787-1894
DNS services are provided by justintvfreefall.org which is also probably malicious. Nameservers are on 22.214.171.124 (Fornex Hosting, Germany) and 126.96.36.199 (the same).