Sponsored by..

Thursday 12 November 2009

support@nacha.org: "Please review the transaction report"

This is the Zbot trojan or something, very much like this one.

From: Electronic Payments Association [mailto:support@nacha.org]
Sent: 12 November 2009 14:58

Subject: Please review the transaction report

Dear bank account holder,
The ACH transaction, recently initiated from your bank account (by you or any third party), was rejected by the Electronic Payments Association. Please review the transaction report by clicking the link below:

Unauthorized ACH Transaction Report

Copyright ©2009 by NACHA - The Electronic Payments Association

The underlying link goes to nacha.org.fffazsf.org.uk which is itself hosted on some sort of Fast Flux botnet. The landing page attempts to get a user to download report.exe ( a Zbot variant). It also opens an IFRAME to in China, a well-known malware domain.

VirusTotal shows patchy detections, still being analysed by ThreatExpert.

The domain name registration is obviously fake:

Domain name: fffazsf.org.uk
Matthew Hughes
Registrant type:
Non-UK Individual
Registrant's address:
203 Striding Ridge Drive Goldsboro 3881 Belgium
Webfusion Ltd t/a 123-Reg.co.uk [Tag = 123-REG]
URL: http://www.123-reg.co.uk

Relevant dates:

Registered on: 12-Nov-2009

Renewal date: 12-Nov-2011
Last updated: 12-Nov-2009
Registration status:
Registration request being processed.
Name servers: ns1.pa-estate.com ns1.tradesdomains.net
Dig deeper at pa-estate.com and we see a familiar email address:

Name : Michell
Organization : Michell

Address : 8663 Sudley Road
City : Manassas
Province/State : beijing

Country : United States

Postal Code : 20108

Phone Number : 571-866-7585793

Fax : 571-866-7585793

Email : Michell.Gregory2009@yahoo.com

A Google Search for that address comes up with over 24,000 references!

tradesdomains.net is registered differently:

Dolorous Lane

512 Stonegate Pl




Phone: +1.6155546664

ns1.pa-estate.com and ns1.tradesdomains.net are hosted at (Global Net Access, LLC ) which also hosts puioypai.org which looks suspect too. ns2.tradesdomains.net is on (Bahnhof Internet, Sweden).

Added: the email comes from several different addresses, including:
  • report@nacha.org
  • support@nacha.org
  • info@nacha.org
Subjects include:
  • Your ACH transaction was rejected by The Electronic Payments Association (NACHA)
  • Please review the transaction report
  • Your ACH transaction was rejected
Domains spotted so far:
  • nacha.org.tttteacf.co.uk
  • nacha.org.tttteacx.org.uk
  • nacha.org.redaczxm.me.uk
  • nacha.org.fffazsx.co.uk
Some additional nameservers:
  • ns1.pa-estate.net
  • ns1.video-format.com


wahnula said...

Thanks for the report, keep them coming. Just letting you know, you were the first hit on Google for this scam. I like the "freshness" of your reporting and it is appreciated.

Unknown said...

I received 8 emails from a variety of @nacha.org within a 14 hour period (Nov.12-13). My server's junk filter caught it. This would be so easy for people to open, thinking it was "true"! Thanks for the info - I'm passing it on!

pamelajstarr said...

They're back. I received an e-mail this morning -

The ACH transaction , recently initiated from your bank account (by you or any other person), was rejected by the Electronic Payments Association. Please click here http: //ACHWSITE.INFO to view details
Roscoe Merrill, Risk Manager

Unknown said...

I got this email yesterday and it seemed fishy. Keep up the good work catching this stuff.

Jim said...

Just received one myself. From transactions@nacha.org and says for more information click here . Junk filter caught it.