Sponsored by..

Tuesday 1 October 2013

Fake NACHA spam leads to malware on thewalletslip.com

This fake NACHA spam leads to malware on thewalletslip.com:

Date:      Tue, 1 Oct 2013 15:05:56 +0330 [07:35:56 EDT]
From:      ACH Network [markdownfyye396@nacha.org]
Subject:      Your ACH transfer


The ACH processing (ID: 428858072307), recently was made from your bank account (by you or any other person), was rejected by the other financial institution.

Aborted transfer
ACH transfer ID:     428858072307
Reason of Cancellation     Notice information in the report below
Transaction Report     View Report 428858072307

About NACHA

Established in 1974, NACHA - The Electronic Payments Association was formed by the California ACH Association, the Georgia Association, the New England ACH Association, and the Upper Midwest ACH Association, to establish uniform operating rules for the exchange of Automated Clearing House (ACH) payments among ACH associations.

To help guide advocacy and related communication activities, NACHA established a Communications and Marketing Advisory Group (CMAG) in early 2010. CMAG brings together practitioners representing ACH Network participants to engage in work efforts to benefit the Network and those who utilize it.

NACHA and its member Regional Payments Associations help industry professionals expand their payments knowledge to further their professional development and benefit their employers. Offerings include in-person, desk-top, and distance learning courses, publications, and the Accredited ACH Professional (AAP) Program. Payments education offered by NACHA at the national level augments the rich offering of educational programs provided by the Regional Payments Associations throughout the country.

18580 Seaside Vale Drive, Suite 235
Herndon, VA 20171

© 2013 NACHA - The Electronic Payments Association

The link in the email goes through a legitimate hacked site and then runs one of three scripts:
[donotclick]theodoxos.gr/hairstyles/defiling.js
[donotclick]web29.webbox11.server-home.org/volleyballs/cloture.js
[donotclick]www.knopflos-combo.de/subdued/opposition.js

Then the victim is directed to a malware landing page at [donotclick]thewalletslip.com/topic/latest-blog-news.php and if you follow this blog regularly then you will not be at all surprised to find that it has been hijacked from GoDaddy (others listed in italics below). It is hosted on 75.98.172.238 (A2 Hosting, US) which is the same server spotted yesterday.

Recommended blocklist:
75.98.172.238
herbrim.com
illusioninfusion.com
inspireddesignsbykathy.com
joojle.org
meettherims.com
noonle.org
oooole.org
poople.us
printslip.com
sellmention.com
smartstartfinancial.com
thewalletslip.com
tootle.us

theodoxos.gr
web29.webbox11.server-home.org
www.knopflos-combo.de

No comments: