From: The Electronic Payments Association - NACHA [firstname.lastname@example.org]The link in the email goes through a legitimate hacked site and then attempts to direct visitors to [donotclick]www.nacha-ach-processor.com/news/ach-report.php (report here) which is hosted on the following IPs:
Date: 5 September 2013 17:55
Subject: Rejected ACH transfer
The ACH transaction (ID: 985284643257), yesterday sent from your account (by one of your account members), was cancelled by the recipient's bank.
ACH ID: 985284643257
Rejection Reason See additional info in the statement below
Transaction Detailed Report View Report 985284643257
NACHA occupies a unique role in the association world, serving as both an industry trade association and administrator of Automated Clearing House (ACH) Network. As the industry trade association that oversees the ACH Network, NACHA provides services in three key functional areas:
The NACHA Operating Rules provide the legal foundation for the exchange of ACH payments and ensure that the ACH Network remains efficient, reliable, and secure for the benefit of all participants. In its role as Network administrator, NACHA manages the rulemaking process and ensures that proposed ACH applications are consistent with the Guiding Principles of the ACH Network. The rulemaking process provides a disciplined, well-defined methodology to propose and develop and propose rules amendments to the NACHA voting membership, the decision makers for the NACHA Operating Rules.
NACHA develops and implements a comprehensive, end-to-end risk management framework that includes network entry requirements, ongoing requirements, enforcement, and ACH Operator tools and services. Collectively, the strategy addresses risk and quality in the ACH Network by minimizing unauthorized entries and customer services costs to all Network participants.
14560 Sunny Valley Drive, Suite 204
Herndon, VA 20171
© 2013 NACHA - The Electronic Payments Association
22.214.171.124 (Goykhman And Sons LLC, US)
126.96.36.199 (Megalan / Sofia Mobiltel EAD, Bulgaria)
188.8.131.52 (Interoute Hosting, UK)
The IPs in use identify it as belonging to what I call the Amerika gang. There are several other malicious domains on these same IPs, and they form part of this larger group of dangerous IPs and domains.