From: Electronic Payments Association [mailto:support@nacha.org]
Sent: 12 November 2009 14:58
Subject: Please review the transaction report
Dear bank account holder, The ACH transaction, recently initiated from your bank account (by you or any third party), was rejected by the Electronic Payments Association. Please review the transaction report by clicking the link below:
Unauthorized ACH Transaction Report
------------------------------------------------------------------
Copyright ©2009 by NACHA - The Electronic Payments Association
The underlying link goes to nacha.org.fffazsf.org.uk which is itself hosted on some sort of Fast Flux botnet. The landing page attempts to get a user to download report.exe ( a Zbot variant). It also opens an IFRAME to 121.12.170.177 in China, a well-known malware domain.
VirusTotal shows patchy detections, still being analysed by ThreatExpert.
The domain name registration is obviously fake:
Domain name: fffazsf.org.ukDig deeper at pa-estate.com and we see a familiar email address:
Registrant: Matthew Hughes
Registrant type: Non-UK Individual
Registrant's address: 203 Striding Ridge Drive Goldsboro 3881 Belgium
Registrar: Webfusion Ltd t/a 123-Reg.co.uk [Tag = 123-REG]
URL: http://www.123-reg.co.uk
Relevant dates:
Registered on: 12-Nov-2009
Renewal date: 12-Nov-2011
Last updated: 12-Nov-2009
Registration status: Registration request being processed.
Name servers: ns1.pa-estate.com ns1.tradesdomains.net
Name : Michell
Organization : Michell
Address : 8663 Sudley Road
City : Manassas
Province/State : beijing
Country : United States
Postal Code : 20108
Phone Number : 571-866-7585793
Fax : 571-866-7585793
Email : Michell.Gregory2009@yahoo.com
A Google Search for that address comes up with over 24,000 references!
tradesdomains.net is registered differently:
Dolorous Lane
fergunis@gmail.com
512 Stonegate Pl
Brentwood
TN
37027
US
Phone: +1.6155546664
ns1.pa-estate.com and ns1.tradesdomains.net are hosted at 207.210.101.253 (Global Net Access, LLC ) which also hosts puioypai.org which looks suspect too. ns2.tradesdomains.net is on 195.178.190.48 (Bahnhof Internet, Sweden).
Added: the email comes from several different addresses, including:
- report@nacha.org
- support@nacha.org
- info@nacha.org
- Your ACH transaction was rejected by The Electronic Payments Association (NACHA)
- Please review the transaction report
- Your ACH transaction was rejected
- nacha.org.tttteacf.co.uk
- nacha.org.tttteacx.org.uk
- nacha.org.redaczxm.me.uk
- nacha.org.fffazsx.co.uk
- ns1.pa-estate.net
- ns1.video-format.com
5 comments:
Thanks for the report, keep them coming. Just letting you know, you were the first hit on Google for this scam. I like the "freshness" of your reporting and it is appreciated.
I received 8 emails from a variety of @nacha.org within a 14 hour period (Nov.12-13). My server's junk filter caught it. This would be so easy for people to open, thinking it was "true"! Thanks for the info - I'm passing it on!
They're back. I received an e-mail this morning -
From:support@nacha.org
The ACH transaction , recently initiated from your bank account (by you or any other person), was rejected by the Electronic Payments Association. Please click here http: //ACHWSITE.INFO to view details
Roscoe Merrill, Risk Manager
I got this email yesterday and it seemed fishy. Keep up the good work catching this stuff.
Just received one myself. From transactions@nacha.org and says for more information click here . Junk filter caught it.
Post a Comment