Sponsored by..

Showing posts with label NACHA. Show all posts
Showing posts with label NACHA. Show all posts

Tuesday 1 October 2013

Fake NACHA spam leads to malware on thewalletslip.com

This fake NACHA spam leads to malware on thewalletslip.com:

Date:      Tue, 1 Oct 2013 15:05:56 +0330 [07:35:56 EDT]
From:      ACH Network [markdownfyye396@nacha.org]
Subject:      Your ACH transfer


The ACH processing (ID: 428858072307), recently was made from your bank account (by you or any other person), was rejected by the other financial institution.

Aborted transfer
ACH transfer ID:     428858072307
Reason of Cancellation     Notice information in the report below
Transaction Report     View Report 428858072307

About NACHA

Established in 1974, NACHA - The Electronic Payments Association was formed by the California ACH Association, the Georgia Association, the New England ACH Association, and the Upper Midwest ACH Association, to establish uniform operating rules for the exchange of Automated Clearing House (ACH) payments among ACH associations.

To help guide advocacy and related communication activities, NACHA established a Communications and Marketing Advisory Group (CMAG) in early 2010. CMAG brings together practitioners representing ACH Network participants to engage in work efforts to benefit the Network and those who utilize it.

NACHA and its member Regional Payments Associations help industry professionals expand their payments knowledge to further their professional development and benefit their employers. Offerings include in-person, desk-top, and distance learning courses, publications, and the Accredited ACH Professional (AAP) Program. Payments education offered by NACHA at the national level augments the rich offering of educational programs provided by the Regional Payments Associations throughout the country.

18580 Seaside Vale Drive, Suite 235
Herndon, VA 20171

© 2013 NACHA - The Electronic Payments Association

The link in the email goes through a legitimate hacked site and then runs one of three scripts:
[donotclick]theodoxos.gr/hairstyles/defiling.js
[donotclick]web29.webbox11.server-home.org/volleyballs/cloture.js
[donotclick]www.knopflos-combo.de/subdued/opposition.js

Then the victim is directed to a malware landing page at [donotclick]thewalletslip.com/topic/latest-blog-news.php and if you follow this blog regularly then you will not be at all surprised to find that it has been hijacked from GoDaddy (others listed in italics below). It is hosted on 75.98.172.238 (A2 Hosting, US) which is the same server spotted yesterday.

Recommended blocklist:
75.98.172.238
herbrim.com
illusioninfusion.com
inspireddesignsbykathy.com
joojle.org
meettherims.com
noonle.org
oooole.org
poople.us
printslip.com
sellmention.com
smartstartfinancial.com
thewalletslip.com
tootle.us

theodoxos.gr
web29.webbox11.server-home.org
www.knopflos-combo.de

Wednesday 27 March 2013

NACHA spam / mgithessia.biz

This fake NACHA spam leads to malware on mgithessia.biz:

From: "Олег.Тихонов@direct.nacha.org" [mailto:universe87@mmsrealestate.com]
Sent: 27 March 2013 03:25
Subject: Disallowed Direct Deposit payment
Importance: High

To whom it may concern:

We would like to inform you, that your latest Direct Deposit via ACH transaction (Int. No.989391803448) was cancelled,because your business software package was out of date. The details regarding this matter are available in our secure section::

Click here for more information

Please consult with your financial institution to obtain the updated version of the software.

Kind regards,

ACH Network Rules Department
NACHA - The Electronic Payments Association


11329 Sunrise Valley Drive, Suite 865
Herndon, VA 20172
Phone: 703-561-1927 Fax: 703-787-1894
The malicious payload is at [donotclick]mgithessia.biz/closest/repeating-director_concerns.php although I am having difficulty resolving that domain, however it appears to be on 46.4.150.118 (Hetzner, Germany) and the payload looks something like this.

DNS services are provided by justintvfreefall.org which is also probably malicious. Nameservers are on 5.187.4.53 (Fornex Hosting, Germany) and  5.187.4.58 (the same).

Recommended blocklist:
46.4.150.118
5.187.4.53
5.187.4.58
mgithessia.biz
justintvfreefall.org



Tuesday 26 March 2013

NACHA spam / breathtakingundistinguished.biz

This fake NACHA spam leads to malware on breathtakingundistinguished.biz:

From: "Гена.Симонов@direct.nacha.org" [mailto:corruptnessljx953@bsilogistik.com]
Sent: 25 March 2013 22:26
Subject: Re: Your Direct Deposit disallowance
Importance: High

Attn: Accounting Department

We are sorry to notify you, that your latest Direct Deposit transaction (#963417979218) was disallowed,because your business software package was out of date. The detailed information about this matter is available in the secure section of our web site:

Click here for more information

Please consult with your financial institution to acquire the updated version of the software.

Yours truly,

ACH Network Rules Department
NACHA - The Electronic Payments Association


19681 Sunrise Valley Drive, Suite 275
Herndon, VA 20135
Phone: 703-561-1796 Fax: 703-787-1698

The malicious payload is at [donotclick]breathtakingundistinguished.biz/closest/209tuj2dsljdglsgjwrigslgkjskga.php (report here) hosted on 62.173.138.71 (Internet-Cosmos Ltd., Russia). The following malicious sites are also hosted on the same server:


necessarytimealtering.biz
hitwiseintelligence.biz
breathtakingundistinguished.biz

Thursday 21 March 2013

NACHA spam / encodeshole.org

This fake NACHA spam leads to malware on encodeshole.org:

From: "Тимур.Родионов@direct.nacha.org" [mailto:biker@wmuttkecompany.com]
Sent: 20 March 2013 18:51
Subject: Payment ID 454806207096 rejected
Importance: High

Dear Sirs,

Herewith we are informing you, that your latest Direct Deposit payment (ID431989197078) was cancelled,due to your current Direct Deposit software being out of date. Please use the link below to enter the secure section of our web site and see the details::

Click here for more information

Please apply to your financial institution to get the necessary updates of the Direct Deposit software.

Best regards,

ACH Network Rules Department
NACHA - The Electronic Payments Association


10933 Sunrise Valley Drive, Suite 771
Herndon, VA 20190
Phone: 703-561-0849 Fax: 703-787-0548
The malicious payload is at [donotclick]encodeshole.org/closest/209tuj2dsljdglsgjwrigslgkjskga.php (report here) hosted on 91.234.33.187 (FOP Sedinkin Olexandr Valeriyovuch, Ukraine). The following suspect domains are on the same IP:

91.234.33.187
encodeshole.org
rotariesnotify.org
rigidembraces.info
storeboughtmodelers.info


Wednesday 13 February 2013

NACHA spam / eminakotpr.ru

More fake NACHA spam, this time leading to malware on eminakotpr.ru:


Date:      Wed, 13 Feb 2013 05:24:26 +0530
From:      "ACH Network" [risk-management@nacha.org]
Subject:      Re: Fwd: ACH Transfer rejected

The ACH transaction, initiated from your checking acc., was canceled.

Canceled transfer:

Transfer ID: FE-65426265630US

Transaction Report: View

August BLUE

NACHA - The National Automated Clearing House Association
The malicious payload is at [donotclick]eminakotpr.ru:8080/forum/links/column.php hosted on:

46.175.224.21 (MAXNET Lukasz Hamerski, Poland)
91.121.57.231 (OVH, France)
202.72.245.146 (Railcom, Mongolia)

The following IPs and domains are all related and should be blocked:
46.175.224.21
91.121.57.231
202.72.245.146
bananamamor.ru
damagalko.ru
dekamerionka.ru
dfudont.ru
disownon.ru
dmpsonthh.ru
dmssmgf.ru
dumarianoko.ru
egihurinak.ru
elistof.ru
emaianem.ru
emalenoko.ru
eminakotpr.ru
enakinukia.ru
epianokif.ru
epilarikko.ru
epiratko.ru
esekundi.ru
esigbsoahd.ru
estipaindo.ru
evskindarka.ru
evujalo.ru
exiansik.ru
exibonapa.ru

NACHA spam / thedigidares.net

This fake NACHA spam leads to malware on thedigidares.net:


Date:      Wed, 13 Feb 2013 12:10:27 +0000
From:      " NACHA" [limbon@direct.nacha.org]
Subject:      Aborted transfer

Canceled transaction
The ACH process (ID: 648919687408), recently sent from your bank account (by you), was canceled by the other financial institution.

Transaction ID:     648919687408
Cancellation Reason     Review additional info in the statement below
Transaction Detailed Report     Report_648919687408.xls (Microsoft/Open Office Word Document)


13150 Sunrise Street, Suite 100 Herndon, VA 20174 (703) 561-1200

� 2013 NACHA - The Electronic Payments Association
The malicious payload is at [donotclick]thedigidares.net/detects/irritating-crashed-registers.php (report here) hosted on:

134.74.14.98 (City College of New York, US)
175.121.229.209 (Hanaro Telecom, Korea)



The following IPs and domains are linked and should be blocked:
134.74.14.98
175.121.229.209
albaperu.net
capeinn.net
thedigidares.net
madcambodia.net
micropowerboating.net
dressaytam.net
acctnmrxm.net
albaperu.net
live-satellite-view.net
dressaytam.net


Monday 11 February 2013

NACHA Spam / albaperu.net

This fake NACHA spam leads to malware on albaperu.net:

Date:      Mon, 11 Feb 2013 11:39:03 -0500 [11:39:03 EST]
From:      ACH Network [reproachedwp41@direct.nacha.org]
Subject:      ACH Transfer canceled

Aborted transfer
The ACH process (ID: 838907191379), recently initiated from your checking account (by one of your account members), was reversed by the other financial institution.

Transaction ID:     838907191379
Reason of Cancellation     See detailed information in the despatch below
Transaction Detailed Report     RP838907191379.doc (Microsoft Word Document)

                          

13150 Sunrise Drive, Suite 100 Herndon, VA 20172 (703) 561-1600

� 2013 NACHA - The Electronic Payments Association
The malicious payload is at [donotclick]albaperu.net/detects/case_offices.php (report here) hosted on:

175.121.229.209 (Hanaro Telecom, Korea)
198.144.191.50 (Chicago VPS, US)

 The following malicious domains are present on these IPs and should be blocked:
acctnmrxm.net
albaperu.net
asistyapipressta.com
capeinn.net
live-satellite-view.net
madcambodia.net
morepowetradersta.com
rebelldagsanet.com
uminteraktifcozumler.com

Wednesday 23 January 2013

NACHA spam / canonicalgrumbles.biz

This fake NACHA spam leads to malware on canonicalgrumbles.biz:

Date:      Wed, 23 Jan 2013 16:55:46 +0100
From:      ".Анисимов@direct.nacha.org" [throttled2@inneremitte.de]
Subject:      Direct Deposit payment was declined

Attn: Accounting Department

We regret to inform you, that your latest Direct Deposit transaction (#432007776488) was declined,because of your current Direct Deposit software being out of date. The detailed information about this matter is available in the secure section of our web site:

Click here for more information

Please contact your financial institution to get the necessary updates of the Direct Deposit software.

Kind regards,

ACH Network Rules Department
NACHA - The Electronic Payments Association


10608 Sunrise Valley Drive, Suite 452
Herndon, VA 20169
Phone: 703-561-4685 Fax: 703-787-1154
The malicious payload is at [donotclick]canonicalgrumbles.biz/closest/984y3fh8u3hfu3jcihei.php (report here) hosted on 93.190.46.138 (Ukranian Hosting / ukrainianhosting.com)

I've seen other malware servers in 93.190.40.0/21 before, I would recommend blocking the whole lot.

Wednesday 26 December 2012

NACHA spam / bunakaranka.ru:

This fake ACH / NACHA spam leads to malware on bunakaranka.ru:

Date:      Wed, 26 Dec 2012 06:48:11 +0100
From:      Tagged [Tagged@taggedmail.com]
Subject:      Re: Fwd: Banking security update.

Dear Online Account Operator,

Your ACH transactions have been
temporarily disabled.
View details

Best regards,
Security department
The malicious payload is on [donotclick]bunakaranka.ru:8080/forum/links/column.php hosted on the following well-known IPs:

91.224.135.20 (Proservis UAB, Lithuania)
187.85.160.106 (Ksys Soluções Web, Brazil)
210.71.250.131 (Chunghwa Telecom, Taiwan)


Plain list:
91.224.135.20
187.85.160.106
210.71.250.131

Associated domains:
bunakaranka.ru
afjdoospf.ru
angelaonfl.ru
akionokao.ru
apendiksator.ru
bilainkos.ru

Tuesday 23 October 2012

NACHA spam / bwdlpjvehrka.ddns.info

This fake NACHA spam leads to malware on bwdlpjvehrka.ddns.info:

Date:      Tue, 23 Oct 2012 05:44:05 +0200
From:      "noreply@direct.nacha.org"
Subject:      Notification about the rejected Direct Deposit payment

Herewith we are informing you, that your most recent Direct Deposit via ACH transaction (#914555512836) was cancelled, due to your current Direct Deposit software being out of date. Please use the link below to enter the secure section of our web site and see the details::

Details

Please contact your financial institution to acquire the new version of the software.

Sincerely yours

ACH Network Rules Department
NACHA | The Electronic Payments Association

13450 Sunrise Valley Drive, Suite 100
Herndon, VA 20171
Phone: 703-561-1100 Fax: 703-787-0996
The malicious payload is at [donotclick]bwdlpjvehrka.ddns.info/links/calls_already_stopping.php hosted on 78.24.222.16 (TheFirst-RU, Russia). Blocking this IP address would be a good move.

Wednesday 10 October 2012

NACHA spam / formexiting.net

This fake NACHA spam leads to malware on formexiting.net:

From: The Electronic Payments Association [mailto:underlining34@anbid.com.br]
Sent: 10 October 2012 15:59
Subject: Rejected ACH transaction
Importance: High


The ACH transaction (ID: 9536860209937), recently issued from your bank account (by one of your account members), was reversed by the recepient's financial institution.
Canceled request
Transaction ID:     9536860209937
Reason of rejection    Review details in the statement below
Transaction Report    report_9536860209937.doc (Microsoft Office Word Document)


17390 Seaside Valley Drive, Suite 101
Herndon, VA 20171
2011 NACHA - The Electronic Payments Association

The malicious payload is on [donotclick]formexiting.net/detects/review_reject_reason.php hosted on 183.81.133.121 (Vodafone, Fiji) which is a well-known malicious IP that you should consider blocking.

Monday 1 October 2012

NACHA spam / onlinebayunator.ru

This fake NACHA spam leads to malware on onlinebayunator.ru:


Date:      Mon, 1 Oct 2012 04:16:46 -0500
From:      Bebo Service [service@noreply.bebo.com]
Subject:      Fwd: ACH Transfer rejected

The ACH debit transfer, initiated from your bank account, was canceled.

Canceled transaction:

Transfer ID: FE-764029897226US

Transaction Report: View



Valentino Dickey

NACHA - The Electronic Payment Association



f0c34915-3e624bbb


The malicious payload is at [donotclick]onlinebayunator.ru:8080/forum/links/column.php  (probably a Blackhole 2 exploit kit) hosted on the following familiar IPs that should be blocked:

84.22.100.108 (Republic CyberBunker, Antarctica - Amsterdam more likely)
190.10.14.196 (RACSA, Costa Rica)
203.80.16.81 (Myren, Malaysia)

Of note,  CyberBunker has a long history of spamming and tolerating criminals. Blocking the range 84.22.96.0/19 should afford your network some additional protection.


Thursday 28 June 2012

NACHA Spam / porscheforumspb.ru

This fake NACHA spam leads to malware on porscheforumspb.ru:

Date:      Wed, 27 Jun 2012 06:18:09 -0430
From:      "Electronic Payments Association" [donotreply@nacha.org]
Subject:      Fwd: ACH Transfer rejected

The ACH transfer, initiated from your bank account, was canceled.

Canceled transfer:

Bath Nr.: FE-45452995330US

Transaction Report: View



ADELINE Jewell

Automated Clearing House, NACHA

The malicious payload is on [donotclick]porscheforumspb.ru:8080/forum/showthread.php?page=5fa58bce769e5c2c (report here), hosted on the following IPs:

110.234.176.99 (Tulip Telecom, India)
128.134.57.112 (Seoul Kwangun University, Korea)
190.81.107.70 (Telmex, Peru)

Friday 20 April 2012

NACHA Spam / 85.25.189.174

Another NACHA spam, leading to malware on 85.25.189.174:

From:     CarleySpan@hotmail.com
Date:     19 April 2012 21:25
Subject:     Your ACH transaction N73848938

The ACH credit transfer, initiated from your checking acc., was canceled by the other financial institution.

Canceled transaction:

Transaction ID: A7635857812UA
ACH Report: View

LINDSEY Zimmerman
NACHA - The Electronic Payment Association 


The malicious payload is on 85.25.189.174/showthread.php?t=34c79594e8b8ac0f hosted by Intergenia / PlusServer in Germany. Avoid.

Tuesday 28 February 2012

NACHA Spam / cgunikqakklsdpfo.ru

A terse version of the familiar NACHA fake spam, leading to malware:

Date:      Mon, 26 Feb 2012 12:16:40 +0530
From:      accounting@victimdomain.com
Subject:      Fwd: ACH and Wire transfers disabled.

Dear Online Account Operator,
Your ACH transactions have been
temporarily disabled.
View details

Best regards,
Security department

The payload is on cgunikqakklsdpfo.ru:8080/img/?promo=nacha which is multihomed (details below). It's pretty easy to search your outbound logs for connection attempts to .ru:8080 if you haven't got filtering enabled.

The list of IPs gets a little shorter every time, but there are still some familiar hosts here:

50.31.1.105 (Steadfast Networks, US)
69.60.117.183 (Colopronto, US)
78.83.233.242 (MVN Systems Ltd, Bulgaria)
88.191.97.108 (Free SAS / ProXad, France)
95.156.232.102 (Optimate-server, Germany)
125.19.103.198 (Bharti Infotel, India)
173.203.51.174 (Slicehost, US)
184.106.200.65 (Slicehost, US)
184.106.237.210 (Slicehost, US)
188.165.253.126 (OVH SAS, France)
190.81.107.70 (Telemax, Peru)
199.204.23.216 (ECSuite, US)
200.169.13.84 (Century Telecom Ltda, Brazil)
209.114.47.158 (Slicehost, US)
210.56.23.100 (Commission For Science And Technology, Pakistan)

A plain list for copy-and-pasting:
50.31.1.105
69.60.117.183
78.83.233.242
88.191.97.108
95.156.232.102
125.19.103.198
173.203.51.174
184.106.200.65
184.106.237.210
188.165.253.126
190.81.107.70
199.204.23.216
200.169.13.84
209.114.47.158
210.56.23.100

Wednesday 22 February 2012

NACHA Spam / campingomotion.com

Another NACHA spam with a malicious payload:

From: The Electronic Payments Association filmeboo@filmeboo.com
Reply-To: The Electronic Payments Association
Date: 22 February 2012 21:46
Subject: Technical failure report

Valued Customer,

Unfortunately we notify you , that Direct Deposit payment (#ACH603865004417US) could not be completed, because of discontinued receipient account.

Direct Deposit procedure incomplete
Transaction # :     ACH603865004417US
Information:     Please download and print the transfer correction request below adjust the recipient banking details.
Transfer Report     report-ACH603865004417US.doc (Microsoft Word Document)

13450 Sunrise Valley Drive, Suite 100 Herndon, VA 20171 (703) 561-1100

2012 NACHA - The Electronic Payments Association

The malicious payload is on campingomotion.com/search.php?page=977334ca118fcb8c, IP 199.230.54.75 (Servint, US). Block the IP address in addition to the domain if you can.

Friday 17 February 2012

freac.net is back with a BBB spam run

freac.net is a domain used by malicious spam email pretending to be from the BBB or NACHA, as in this example. In that case, freac.net was apparently hosted on an IP belonging to Huawei in the US, but shortly afterwards it went non-resolving.

Well, freac.net is back and so is the spam promoting it.. e.g.

Date:      Fri, 16 Feb 2012 14:30:35 +0530
From:      "BBB"
Subject:      BBB case ID 28764441
Attachments:     betterbb_logo.jpg

Hello,

Here with the Better Business Bureau would like to notify you that we have received a complaint (ID 28764441) from a customer of yours related to their dealership with you.

Please open the COMPLAINT REPORT below to find more information on this case and let us know of your position as soon as possible.

We are looking forward to hearing from you.

Regards,

Carlos Baxter

Dispute Counselor
Better Business Bureau


Council of Better Business Bureaus
4200 Wilson Blvd, Suite 800
Arlington, VA 22203-1838
Phone: 1 (703) 276.0100
Fax: 1 (703) 525.8277

===========

Date:      Fri, 16 Feb 2012 14:26:31 +0530
From:      "BBB"
Subject:      BBB complaint processing
Attachments:     betterbb_logo.jpg

Attention: Owner/Manager

Here with the Better Business Bureau would like to notify you that we have been sent a complaint (ID 78067910) from a customer of yours related to their dealership with you.

Please open the COMPLAINT REPORT below to obtain more information on this case and inform us about your opinion as soon as possible.

We are looking forward to hearing from you.

Faithfully,

Theresa Morris

Dispute Counselor
Better Business Bureau


Council of Better Business Bureaus
4200 Wilson Blvd, Suite 800
Arlington, VA 22203-1838
Phone: 1 (703) 276.0100
Fax: 1 (703) 525.8277

Currenly freac.net is hosted on 46.4.226.18 and 41.64.21.71, the first is a server rented from Hetzner in Germany, oddly the second is an ADSL line in Cairo.

Anyway, blocking those IPs will stop any further infections from those IPs. A Wepawet report for this infection is here.

Thursday 16 February 2012

NACHA Spam / billydimple.com and biggestblazer.com

Here we go again, another NACHA spam leading to a malicious payload..

From:  The Electronic Payments Association risk_manager@nacha.org
Date: 15 February 2012 13:52
Subject: Rejected ACH payment

The ACH transaction (ID: 44103676925895), recently initiated from your bank account (by you or any other person), was canceled by the Electronic Payments Association.

Canceled transfer
Transaction ID:     44103676925895
Rejection Reason     See details in the report below
Transaction Report     report_44103676925895.doc (Microsoft Word Document)

13450 Sunrise Valley Drive, Suite 100
Herndon, VA 20171

2011 NACHA - The Electronic Payments Association
The malware is on biggestblazer.com/search.php?page=73a07bcb51f4be71 (report here) which is hosted on 199.30.89.180 (Central Host Inc / Zerigo.. yet again). It attempts to download additional components from billydimple.com/forum/index.php?showtopic=656974  on 69.164.205.122 (Linode.. again).

I've now seen several malicious sites in the 199.30.89.0/24 range, it might be worth considering blocking the whole lot.

Tuesday 14 February 2012

NACHA Spam / biggestloop.com

Another NACHA spam leading to a malicious payload, this time on biggestloop.com.

Date:      Tue, 13 Feb 2012 19:06:18 +0100
From:      "The Electronic Payments Association"
Subject:      Your ACH transfer
Attachments:     nacha_logo.jpg

The ACH transaction (ID: 54525654754524), recently initiated from your bank account (by you or any other person), was canceled by the other financial institution.

Rejected transaction
Transaction ID:     54525654754524
Rejection Reason     See details in the report below
Transaction Report     report_54525654754524.doc (Microsoft Word Document)

13450 Sunrise Valley Drive, Suite 100

Herndon, VA 20171

2011 NACHA - The Electronic Payments Association

I can't believe that there is a person in the world receiving this who will not have received hundreds of versions of the same thing before, but the spammers continue. The malicious payload is at biggestloop.com/main.php?page=27f6207e33edeeca (analysis here) on 206.214.68.57 (B2Net Solutions, Canada). Block the IP if you can. Better still, write some filters for your email system to keep the things far, far away.

NACHA Spam / freac.net

Another NACHA spam, this time with a malicious payload on the site freac.net.

Date:      Tue, 13 Feb 2012 11:12:12 +0100
From:      "The Electronic Payments Association" [alerts@nacha.org]
Subject:      ACH transaction canceled
Attachments:     nacha_logo.jpg

The ACH transfer (ID: 14282248034397), recently sent from your checking account (by you or any other person), was canceled by the other financial institution.

Rejected transaction
Transaction ID:     14282248034397
Rejection Reason     See details in the report below
Transaction Report     report_14282248034397.doc (Microsoft Word Document)

13450 Sunrise Valley Drive, Suite 100

Herndon, VA 20171

2011 NACHA - The Electronic Payments Association

The malware is on freac.net/main.php?page=cd12dfacc57c3f82 (report here) which is on IP address 12.133.182.133 (Huawei Technologies, US). Blocking access to the IP address will prevent any other malicious sites on the server from being a problem.