Sponsored by..

Monday 14 November 2011

NACHA / Wire Transfer malicious emails

I'm not sure if these three incidents are all related or are just using the same approach, but here goes.

Date:      Mon, 14 Nov 2011 17:53:54 +0100
Subject:      Disallowed Direct Deposit payment

Dear Sirs,

Herewith we are notifying you, that your latest Direct Deposit transaction (No. 60795715105) was disallowed, because of your business software package being out of date. The detailed information about this matter is available in the secure section of our web site:


Please apply to your financial institution to obtain the new version of the software.

Kind regards,
Sidney Gross
ACH Network Rules Department
NACHA - The Electronic Payments Association

13450 Sunrise Valley Drive, Suite 100
Herndon, VA 20171
Phone: 703-561-1100 Fax: 703-787-0996

and then

Date:      Mon, 14 Nov 2011 02:42:02 +0530
From:      accounting@victimdomain.com
Subject:      Fwd: Wire Transfer Confirmation (FED 5697WN59)

Dear Bank Account Operator,

I regret to inform you that Wire transfer initiated by you or on your behalf was hold by us.

Transaction ID: 85802292158295165

Current status of transaction: under review

Please review transaction details as soon as possible.

Bernadette Dickinson
Payments Administration

and finally

Date:      Mon, 14 Nov 2011 10:56:29 +0530
From:      "HARMONY URBAN" support@federalreserve.gov
Subject:      Your Wire Transfer

Good day,

Account: Business Account XXX

Amount: $ 93,056.63

Wire Transfer Report: View

The wire transfer will be processed within 2 hours.

Please make sure that everything is as you requested.

Federal Reserve Wire Network 

The first spam leads to a hacked site in Australia (there are probably many others). In turn, this tries to load four scripts to install malware though an HCP attack (Wepawet report here). The scripts are:


In all cases, those scripts appear to be on legitimate (but hacked) websites. The final step for that attack is to try to install a malicious Java application from colobird.com/content/import.jar - a domain that is hosted on but one that was only registered very recently.

The second and third emails take a different approach, loading a page at www.btredret.ru/main.php hosted on (S.C. Profisol Telecom S.R.L., Romania). This attemps a Java exploit (Wepawet report here). This IP is part of a small netblock of - ( and can probably safely be blocked, or you could just block the whole /24 if you wanted,

This is an old approach that has been doing the rounds for two years. It must still work though..

No comments: