Sponsored by..

Thursday, 6 June 2013

NatPay "Transmission Confirmation" spam / usforclosedhomes.net

This fake NatPay spam leads to malware on usforclosedhomes.net.

Version 1:
Date:      Thu, 6 Jun 2013 20:53:08 +0600 [10:53:08 EDT]
From:      National Payment Automated Reports System [dunks@services.natpaymail.net]
Subject:      Transmission Confirmation ~26306682~N25BHHL1~

Transmission Verification    
Contact Us
To:    
NPC Account # 26306682
Xavier Reed
   
Re:    
NPC Account # 26306682
D & - D5
Thursday, July 04, 2013, Independence Day is a Federal Banking Holiday. All banks are closed for this holiday, therefore NatPay will not be able to process any files on that date. If you plan on transmitting for a paydate that falls between Thursday, July 04, 2013 and Thursday, July 11, 2013 you will need to the file a day earlier.

Batch Number       408
Batch Description       VENDOR PAY
Number of Dollar Entries       2
Number of Prenotes       0
Total Deposit Amount       $3,848.19
Total Withdraw Amount      $3,848.19
Batch Confirmation Number      50983
   
Date Transmitted      Thursday, June 06, 2013
Date Processed       Thursday, June 06, 2013
Call Start Time       4:06 PM
Call End Time       4:07 PM
Funding Method       2 Day Funding
Cycle       AM
Effective
Entry Date

Transaction Type
   
Entry
Identification

Routing/Transit

Bank Account
Entry Amount
06/08/2013     Checking - Deposit     XXXXXXXX     XXXXXXXXX     XXXXXXXXXX     $3,848.19
06/06/2013     Checking - Withdraw     Offset Entry     XXXXXXXXX     XXXXXXXXXX     -$3,848.19
Totals     $0.00
Report reference ID # N25BHHL1     Created on Thursday, June 06, 2013
Have a question about this report?  Please click here to send us an email with your question.

Version 2:

Date:      Thu, 6 Jun 2013 09:59:06 -0500
From:      National Payment Automated Reports System [lemuel@emalsrv.natpaymail.com]
Subject:      Transmission Confirmation ~10968697~607MPYRC~

Transmission Verification    
Contact Us
To:    
NPC Account # 10968697
Benjamin Turner
   
Re:    
NPC Account # 10968697
D & - MN
Thursday, July 04, 2013, Independence Day is a Federal Banking Holiday. All banks are closed for this holiday, therefore NatPay will not be able to process any files on that date. If you plan on transmitting for a paydate that falls between Thursday, July 04, 2013 and Thursday, July 11, 2013 you will need to the file a day earlier.

Batch Number     219
Batch Description     VENDOR PAY
Number of Dollar Entries     2
Number of Prenotes     0
Total Deposit Amount     $2,549.12
Total Withdraw Amount     $2,549.12
Batch Confirmation Number     24035
   
Date Transmitted     Thursday, June 06, 2013
Date Processed     Thursday, June 06, 2013
Call Start Time     4:06 PM
Call End Time     4:07 PM
Funding Method     2 Day Funding
   
Cycle     AM
Effective

Entry Date

Transaction Type
   
Entry

Identification

Routing/Transit

Bank Account

Entry Amount
06/08/2013     Checking - Deposit     XXXXXXXX     XXXXXXXXX     XXXXXXXXXX     $2,549.12
06/06/2013     Checking - Withdraw     Offset Entry     XXXXXXXXX     XXXXXXXXXX     -$2,549.12
Totals     $0.00
Report reference ID # 607MPYRC     Created on Thursday, June 06, 2013
Have a question about this report? Please click here to send us an email with your question.

The malicious payload is on [donotclick]usforclosedhomes.net/news/walls_autumns-serial.php (report here) hosted on the following IPs:
41.89.6.179 (Kenya Education Network, Kenya)
46.18.160.86 (Saudi Electronic Info Exchange Company (Tabadul) JSC, Saudi Arabia)
93.89.235.13 (FBS Bilisim Cozumleri, Cyprus)
112.170.169.56 (Korea Telecom, South Korea)

The cluster of IPs and domains this belongs to identifies it as part of the Amerika spam run.

Blocklist:
41.89.6.179
46.18.160.86
93.89.235.13
112.170.169.56
abacs.pl
biati.net
buyparrots.net
citysubway.net
condalnuashyochetto.ru
cunitarsiksepj.ru
eheranskietpj.ru
ejoingrespubldpl.ru
enway.pl
federal-credit-union.com
gnunirotniviepj.ru
gstoryofmygame.ru
icensol.net
myhispress.com
onlinedatingblueprint.net
oydahrenlitutskazata.ru
ozonatorz.com
smartsecurityapp2013.com
sngroup.pl
twintrade.net
usforclosedhomes.net


6 comments:

silly_rabbit said...

This is also coming from other URL's as well. This is similar to the Wall-mart phish that hit a few weeks ago.

http://urlquery.net/report.php?id=2927463

http://urlquery.net/report.php?id=2927476

Dee Wilcox said...

I just received the exact same message, but with different dollar amounts. Thank you for posting this!

kthusker said...

Me, too. Thanks so much for posting!

Conrad Longmore said...

@silly_rabbit: the first step is always a legitimate hacked site, then the victim gets redirected to a payload site which is easier to block. And yes.. it's the same group who send the Walmart one a few weeks ago!

Unknown said...

just received the exact same message, but with different dollar amounts. Thank you for posting this!

tita40 said...

THANK YOU SO MUCH FOR POSTING.., I JUST GOT THE SAME EXACT MESSAGE (DOLLAR AMOUNT CHANGED) AND I WAS WORRIED SOMEONE HAD TAKEN MONEY OUT OF MY CHECKING ACCOUNT!