NACHA Spam / cooldcloud.com and twistcosm.com

Yet more NACHA spam leading to a malicious payload, this time on cooldcloud.com.

Date:      Mon, 12 Feb 2012 08:16:16 -1100
From:      "The Electronic Payments Association"
Subject:      ACH transfer rejected
Attachments:     nacha_logo.jpg

The ACH transfer (ID: 1366285882700), recently initiated from your bank account (by you or any other person), was rejected by the other financial institution.

Rejected transaction
Transaction ID:     1366285882700
Rejection Reason     See details in the report below
Transaction Report     report_1366285882700.doc (Microsoft Word Document)

13450 Sunrise Valley Drive, Suite 100

Herndon, VA 20171

2011 NACHA - The Electronic Payments Association

==================

Date:      Mon, 12 Feb 2012 19:06:12 +0000
From:      "The Electronic Payments Association"
Subject:      ACH transfer rejected
Attachments:     nacha_logo.jpg

The ACH transaction (ID: 9485030409966), recently sent from your checking account (by you or any other person), was canceled by the Electronic Payments Association.

Canceled transfer
Transaction ID:     9485030409966
Rejection Reason     See details in the report below
Transaction Report     report_9485030409966.doc (Microsoft Word Document)

13450 Sunrise Valley Drive, Suite 100

Herndon, VA 20171

2011 NACHA - The Electronic Payments Association

The malware is at cooldcloud.com/search.php?page=73a07bcb51f4be71 hosted on 74.91.117.227 (Nuclear Fallout Enterprises... again). Blocking the IP is best as that will protect against other malware, although you may want to block more widely given the problems with this host.

The malware tries to download additional content from twistcosm.com/forum/index.php?showtopic=656974 on 199.30.89.139 (Central Host / Zerigo Inc), another problem hosting company.

You can find a Wepawet report here.

NACHA Spam / beaverday.biz

More fake NACHA spam, this time with a malicious payload on the domain beaverday.biz.

From:  The Electronic Payments Association office@officecar.ro
Reply-To:  The Electronic Payments Association
To:  itd@sos.com.ph
Date:  13 February 2012 10:06
Subject:  ACH transfer error

Dear Chief Accounting Officer,

We are sorry to inform you, that Direct Deposit payment (ID801400587332) has not been credited to the receiver account, because of partially missing banking details.

Direct Deposit procedure incomplete
Transaction ID :     801400587332
Details:     Please use the transfer correction request below provide the correct banking information.
Transfer Status     report-801400587332.doc (Micro soft Word Document)

Home About Us Site Map Contact Us NACHA Inquiries NACHA Privacy Policy NACHA Code of Conduct Disclaimer
Membership Education ACH Network ACH Rules Risk & Compliance News & Resources NACHA eStore

13450 Sunrise Valley Drive, Suite 100 Herndon, VA 20171 (703) 561-1100

2012 NACHA - The Electronic Payments Association

The payload is a Blackhole exploit kit at beaverday.biz/search.php?page=977334ca118fcb8c (Wepawet report here) which is hosted on 199.30.89.139 (Central Host Inc / Zerigo.net), just a few IPs away from 199.30.89.135 as used in this spam run a few days ago. I have also seen malicious activity on 199.30.91.44 in the same /21.. perhaps Zerigo / Central Host have a problem? Block IPs as you feel is appropriate..

Malformed "nacha5_sbj}" spam leads to malware

Some stupid spammer has screwed up their campaign:

Date:      Fri, 9 Feb 2012 20:07:15 +0430
From:      payment@nacha.org
Subject:      nacha5_sbj}
Attachments:     nacha.jpg

The following information concerns the ACH transfer that was originally effectuated by you or any other person on 02-02-2012.

Transaction ID:
    89024101013314
Transaction status:    declined
Supplementary information:    Please read the detailed report

Faithfully,
Violette Coirs.

2012 NACHA - The Electronic Payments Association

This is a system generated email. Please do not respond.

The malicious payload is synergyledlighting.net/main.php?page=4e4959105994cf84  hosted on 131.94.130.132 (Florida International University, US) and 173.236.78.113 (Singlehop, US). That same domain was found in this spam, although one of the IPs has changed since then.

The Florida International University IP address gives a clue as to what is going on here - these servers are most likely hacked rather than rented. This also explains why some IPs have seemingly legitimate sites on them. Still, blocking access to these IPs is the safest thing to do.

NACHA Spam / bluemator.com, synergyledlighting.net and hakkage.com

There has been a ton of NACHA-themed spam today, here are some examples:

Date:      Wed, 7 Feb 2012 18:17:43 +0200
From:      alert@nacha.org
Subject:      ACH payment canceled

The ACH transaction (ID: 8321348803546), recently initiated from your checking account (by you or any other person), was canceled by the Electronic Payments Association.

Canceled transaction
Transaction ID:     8321348803546
Reason of rejection     See details in the report below
Transaction Report     report_8321348803546.doc (Microsoft Word Document)

13450 Sunrise Valley Drive, Suite 100

Herndon, VA 20171

2011 NACHA - The Electronic Payments Association

================

Date:      Wed, 7 Feb 2012 17:13:42 +0100
From:      payment@nacha.org
Subject:      Rejected ACH transaction

The ACH transaction (ID: 5999727582818), recently initiated from your bank account (by you or any other person), was canceled by the other financial institution.

Canceled transfer
Transaction ID:     5999727582818
Reason for rejection     See details in the report below
Transaction Report     report_5999727582818.doc (Microsoft Word Document)

13450 Sunrise Valley Drive, Suite 100

Herndon, VA 20171

2011 NACHA - The Electronic Payments Association

================

Date:      Wed, 7 Feb 2012 15:14:00 +0100
From:      transfers@nacha.org
Subject:      Rejected ACH transaction

The ACH transfer (ID: 5896958322102), recently sent from your bank account (by you or any other person), was canceled by the other financial institution.

Canceled transaction
Transaction ID:     5896958322102
Reason for rejection     See details in the report below
Transaction Report     report_5896958322102.doc (Microsoft Word Document)

13450 Sunrise Valley Drive, Suite 100

Herndon, VA 20171

2011 NACHA - The Electronic Payments Association

==================

Date:      Wed, 7 Feb 2012 15:58:54 +0200
From:      payments@nacha.org
Subject:      Your ACH transfer

The ACH transfer (ID: 118757985791), recently sent from your bank account (by you or any other person), was rejected by the other financial institution.

Canceled transfer
Transaction ID:     118757985791
Reason for rejection     See details in the report below
Transaction Report     report_118757985791.doc (Microsoft Word Document)

13450 Sunrise Valley Drive, Suite 100

Herndon, VA 20171

2011 NACHA - The Electronic Payments Association

==================

Date:      Wed, 7 Feb 2012 13:15:17 +0200
From:      alert@nacha.org
Subject:      ACH payment canceled

The ACH transaction (ID: 926663997526), recently sent from your bank account (by you or any other person), was rejected by the other financial institution.

Rejected transfer
Transaction ID:     926663997526
Reason for rejection     See details in the report below
Transaction Report     report_926663997526.doc (Microsoft Word Document)

13450 Sunrise Valley Drive, Suite 100

Herndon, VA 20171

2011 NACHA - The Electronic Payments Association

 The bad guys are using very heaving obfuscated javascript to try to hide what they are doing, but there is a malicious payload at the following URLs:

bluemator.com/search.php?page=73a07bcb51f4be71  [199.30.89.135 - Zerigo, US]
bluemator.com/content/adp2.php?f=126
hakkage.com/forum/index.php?showtopic=656974 [173.255.210.86 - Linode, US]
synergyledlighting.net/main.php?page=30e3ec8cd29abd6b [173.236.78.113 - Singlehop, US and 173.212.222.36 - HostNOC, US[
synergyledlighting.net/content/adp2.php?f=50

You can see a sample Wepawet report here and here.

Blocking access to the IPs  199.30.89.135, 173.255.210.86, 173.236.78.113 and 173.212.222.36 is probably a good idea..

NACHA Spam / hakkabout.com and kansamentos.com

More NACHA spam with a malicious payload..

Date:      Thu, 1 Feb 2012 13:05:58 +0100
From:      risk@nacha.org
Subject:      Rejected ACH payment

The ACH transfer (ID: 424339813641), recently sent from your bank account (by you or any other person), was canceled by the other financial institution.

Canceled transfer
Transaction ID:     424339813641
Reason for rejection     See details in the report below
Transaction Report     report_424339813641.doc (Microsoft Word Document)

13450 Sunrise Valley Drive, Suite 100

Herndon, VA 20171

2011 NACHA - The Electronic Payments Association

The link redirects through a couple of legitimate hacked sites and ends up on hakkabout.com/search.php?page=73a07bcb51f4be71 on 96.126.117.251 (Linode, US). According to Wepawet, a subsequent download is attempted from kansamentos.com/forum/index.php?showtopic=192151 on 66.151.138.179  (Nuclear Fallout Enterprises, US). Blocking those two IPs is probably a good idea, although it isn't the first time that Linode or Nuclear Fallout Enterprises have hosted malware recently and it may not be the last.

NACHA Spam / sulusify.com

More NACHA spam leading to a malicious payload..

Date:      Wed, 31 Jan 2012 10:43:44 +0200
From:      transactions@nacha.org
Subject:      ACH payment canceled

The ACH transfer (ID: 64930940909169), recently initiated from your checking account (by you or any other person), was canceled by the Electronic Payments Association.

Canceled transfer
Transaction ID:     64930940909169
Reason of rejection     See details in the report below
Transaction Report     report_64930940909169.doc (Microsoft Word Document)

13450 Sunrise Valley Drive, Suite 100

Herndon, VA 20171

2011 NACHA - The Electronic Payments Association

In this case, the malware is at sulusify.com/search.php?page=73a07bcb51f4be71 (it goes through a couple of redirectors first). A Wepawet report is here.

This is on 209.59.221.65 which is the Endurance International Group.. again. There are several malicious IPs in the 209.59.192.0/19 range now, perhaps indicating a deeper problem with this host.

NACHA Spam / sulusate.com

More NACHA spam leading to a malicious payload:

Date: 31 January 2012 22:55
Subject: ACH transaction fault

The ACH transaction ID: 415864020375, that had been effectuated from your banking account lately, was rejected by the the bank of the recipient.

ACH transfer declined
Transaction ID:     415864020375
Details:     please see the report below for details
Transaction Report     report_415864020375.doc (Microsoft Word Document)

13450 Sunrise Valley Drive, Suite 100
Herndon, VA 20171

2011 NACHA - The Electronic Payments Association

This leads to a malicious payload at sulusate.com/search.php?page=977334ca118fcb8c, hosted on 209.59.220.98 (Endurance International Group, US). A Wepawet report for the malicious page is here.

Blocking the IP will prevent other malicious sites on the same server from doing their stuff. Endurance International has hosted several such malicious sites recently.

NACHA Spam / matoreria.com

Another NACHA spam run leading to a malicious payload..

Date:      Tue, 30 Jan 2012 11:02:13 +0000
From:      info@nacha.org
Subject:      Your ACH transaction

The ACH transaction (ID: 8519169560300), recently initiated from your bank account (by you or any other person), was canceled by the other financial institution.

Canceled transfer
Transaction ID:     8519169560300
Rejection Reason     See details in the report below
Transaction Report     report_8519169560300.doc (Microsoft Word Document)

13450 Sunrise Valley Drive, Suite 100

Herndon, VA 20171

2011 NACHA - The Electronic Payments Association

The payload is on matoreria.com/search.php?page=73a07bcb51f4be71 hosted on 66.150.164.137 (Nuclear Fallout Enterprises, Seattle). We've seen this ISP before. At the moment the payload seems not to be working properly.

Blocking access to the IP address will also block access to any other malicious sites on the same server.

NACHA Spam / chillechart.com and chillepay.com

More fake NACHA spam leading to malware, this time the malicious payload is at chillechart.com on 96.126.96.123 (Linode, New Jersey).

Date:      Thu, 25 Jan 2012 10:40:06 +0100
From:      "alerts@nacha.org" [alerts@nacha.org]
Subject:      Your pending ACH debit transfer

Dear Account Holder,

This message includes an important notice about the ACH debit transfer sent on your behalf, that was detained by our bank:
Transaction #:    766253676295142
Transaction status:    pending

In order to resolve this matter, we prompt you to check the details of your transaction using the link below.

Faithfully yours,
Stephanie Barrera
Accounting Department

This follows the same pattern we have seen over the past few days. A Wepawet report for the malicious page is here. Blocking the IP address rather than the domain should block any other malicious sites on the server.

Update:  chillepay.com is also being used in this spam run, hosted on 69.164.199.231 (also Linode)

Lazy BBB / "ACH transfer pending" spam, chillestruct.com and closteation.com

Here's a lazy spam about an "ACH transfer" that appears to come from the BBB, because the spammers have mixed up the campaigns.

Date:      Wed, 24 Jan 2012 13:31:58 +0100
From:      "manager@bbb.org" [manager@bbb.org]
Subject:      ACH transfer pending

Dear Sir or Madam,

This message includes a notification about the ACH debit transfer sent on your behalf, that was held by our bank:

Transaction ID: 471209863177939
Transaction status: pending

In order to resolve this matter, please review the transaction details using the link below as soon as possible.

Yours faithfully,
Kathy Quirk
Accounting Department

The link in the spam routes through a couple of hacked sites to a malicious payload at chillestruct.com on 173.248.190.37 (Zerigo Inc, California) and closteation.com on 209.59.221.158 (Endurance International, Massachusetts). Wepawet reports are here and here.

Blocking the IPs will prevent any other malicious sites on those servers from causing problems.

NACHA Spam / cgredret.ru

More NACHA spam, this time pointing to cgredret.ru (which we've seen before) which delivers a malicious payload.

Date:      Thu, 22 Dec 2011 03:37:35 +0530
From:      "NACHA"
Subject:      ACH Transfer rejected

ACH transaction, initiated from your checking account, was canceled.



Canceled transaction:



Transfer ID: B2793447923US

Transfer Report: View



GALINA Gunter

NACHA - The Electronic Payment Association

cgredret.ru has moved since yesterday and is now on 79.137.237.68. Unsurprisingly, it is now on Digital Network JSC in Russia (aka DINETHOSTING). Block access to 79.137.224.0/20 if you can.

NACHA Spam/ ragsnip.com

Yet another round of fake NACHA spam leading to malware is doing the rounds, this time the payload is on ragsnip.com/main.php?page=111d937ec38dd17e hosted on 207.210.96.226 (Global Net Access LLC, Atlanta). Blocking access to the IP is preferable to the domain as there may be other malicious domains on the same server.

An example spam email from this run (it seems no different to all the other ones):

Date:      Fri, 16 Dec 2011 16:43:21 +0100
From:      "transactions@nacha.org" [transactions@nacha.org]
Subject:      Information on your pending transaction

Attention: Accounting Department

This message contains a report about the ACH debit transfer sent on your behalf, that was detained by our bank:
Transaction #:    007457776956967
Status of the transaction:    pending

In order to resolve this matter, please review the transaction details using the link below as soon as possible.

Faithfully yours,
Kathy Quirk
Accounting Department

NACHA Spam / ragsnub.com

More NACHA spam is doing the rounds, this time redirecting through a legitimate hacked site to ragsnub.com/main.php?page=69dbd5a1e3ed6ae9 on 184.171.248.35 (Hostdime, Florida).

There may be other bad domains on that server, so blocking access to the IP is the safest approach.

NACHA Spam / evrymonthnighttry.com and glasseseverydaynow.com

More NACHA themed spam this morning that redirects victims through a hacked legitimate site to a malware laden page, this time hosted on evrymonthnighttry.com or glasseseverydaynow.com.

These sites are hosted on 46.183.217.119 (Dataclub, Latvia). I can't see anything at all of value in 46.183.216.0/21 so blocking access to all of that range might be prudent.

It also attempts to load an exploit from a site called bbb-complains.org which is not resolving at present.

A couple of example emails:

Date:      Thu, 15 Dec 2011 07:42:51 +0000
From:      "risk.manager@nacha.org" [risk.manager@nacha.org]
Subject:      Your ACH transaction details

Attention: Accounting Department

This message includes an important information regarding the ACH debit transfer sent on your behalf, that was detained by our bank:
Transaction ID:    079788807282357
Transaction status:    pending

In order to resolve this matter, please use the link below to review the transaction details as soon as possible.

Yours faithfully,
Anthony Cooley
Chief Accountant

and

Date:      Thu, 15 Dec 2011 07:30:43 +0000
From:      "alert@nacha.org" [alert@nacha.org]
Subject:      Your pending ACH debit transfer

Dear Sir or Madam,

Please find below a report about the ACH debit transfer sent on your behalf, that was kept back by our bank:
Transaction #:    638798200851317
Status of the transaction:    pending

In order to resolve this matter, please review the transaction details using the link below as soon as possible.

Yours truly,
Kevin Hunt
Chief Accountant

NACHA Spam / financeportal.sytes.net

More NACHA spam this morning, this time the payload is at financeportal.sytes.net/main.php?page=111d937ec38dd17e on 174.140.165.90. Blocking the IP address rather than the domain is probably best as there may be other malicious sites on that server.

174.140.165.90 is on Directspace LLC in Oregon who seem to have a significant problem with malware at the moment, I have seen malicious sites on:

147.140.163.116
147.140.163.118
147.140.165.90
147.140.165.195

You might want to consider blocking Directspace LLC more widely if you are worried.

NACHA Spam / badthen.com

More NACHA spam, this time leading to a malicious payload on badthen.com. Stupidly (again) the NACHA email appears to come from linkedin.com.

Date:      Wed, 14 Dec 2011 05:36:48 +0900
From:      "LinkedIn" [linkedin@em.linkedin.com]
Subject:      ACH transfer suspended

The ACH transaction (ID: 137297301664), recently initiated from your bank account (by you or any other person), was rejected by the Electronic Payments Association.
Rejected transfer
Transaction ID:     137297301664
Rejection Reason     See details in the report below
Transaction Report     report_137297301664.doc (Microsoft Word Document)

13450 Sunrise Valley Drive, Suite 100 Herndon, VA 20171 (703) 561-1100

© 2011 NACHA - The Electronic Payments Association

The malware is on badthen.com/main.php?page=977334ca118fcb8c  hosted on 173.230.130.158 (Linode, US). Blocking the IP address will block any other malware domains on the same server.

NACHA Spam / sadjumped.com / downloaddatafast.serveftp.com

 More fake NACHA spam, this time leading to a malicious payload site on downloaddatafast.serveftp.com/main.php?page=977334ca118fcb8c on 173.230.137.34 (Linode, US).

Date:      Tue, 13 Dec 2011 14:15:51 +0100
From:      "LinkedIn" [linkedin@em.linkedin.com]
Subject:      ACH transaction not accepted

The ACH transfer (ID: 82065701523728), recently initiated from your checking account (by you or any other person), was rejected by the Electronic Payments Association.
Canceled transfer
Transaction ID:     82065701523728
Rejection Reason     See details in the report below
Transaction Report     report_82065701523728.doc (Microsoft Word Document)

13450 Sunrise Valley Drive, Suite 100 Herndon, VA 20171 (703) 561-1100

© 2011 NACHA - The Electronic Payments Association

serveftp.com is related to no-ip.com, if you block that domain then you should probably block serveftp.com as well. Blocking 173.230.137.34 would protect against any other malicious sites on the same server.

Update: another spam run is in progress using a domain sadjumped.com on the same server.

NACHA Spam.. again.. and wonderfulwrench.com

The spammers have been busy today, here's another one leading to malware.

Date:      Fri, 9 Dec 2011 13:28:41 -0300
From:      "The Electronic Payments Association"
Subject:      ACH transaction rejected

The ACH transaction (ID: 870526083755), recently initiated from your checking account (by you or any other person), was canceled by the Electronic Payments Association.
Rejected transfer
Transaction ID:     870526083755
Reason of rejection     See details in the report below
Transaction Report     report_870526083755.doc (Microsoft Word Document)

13450 Sunrise Valley Drive, Suite 100 Herndon, VA 20171 (703) 561-1100

© 2011 NACHA - The Electronic Payments Association

The malicious payload is on wonderfulwrench.com/main.php?page=977334ca118fcb8c on 46.45.137.205 (Safya Net, Turkey). We saw the same IP range yesterday, so I recommend blocking access to 46.45.137.0/24 at the least, or 46.45.136.0/21 if you want to be a bit more aggressive in your filtering.

Spammers are stupid

What's wrong with this spam?

Date:      Thu, 1 Dec 2011 17:55:30 +0900
From:      "LinkedIn" [linkedin@em.linkedin.com]
To:      Victim
Subject:      So now you're on LinkedIn: What's next?

The ACH transaction (ID: 730771521612), recently sent from your checking account (by you or any other person), was canceled by the other financial institution.
Rejected transfer
Transaction ID:     730771521612
Reason of rejection     See details in the report below
Transaction Report     report_730771521612.doc (Microsoft Word Document)

13450 Sunrise Valley Drive, Suite 100 Herndon, VA 20171 (703) 561-1100

© 2011 NACHA - The Electronic Payments Association

Yup.. the headers are for a LinkedIn themed spam, the body is a NACHA themed one with a link to a malicious file. The bad guys are sending out so many of these that they must be getting confused.

The link goes through a number of legitimate hacked sites and eventually ends up at biggestamigo.com on 92.55.144.82 in Romania (I would recommend blocking the whole 92.55.144.0/24 block at least, or even 92.55.144.0/21 if you want to be on the safe side). The payload looks like a typical exploit kit.

Spoof ACH mails, neoprenpillar.com and decalintos.com

Yet another ACH / NACHA / whatever scam email, they go something like this:

Date:      Tue, 22 Nov 2011 10:42:43 +0100
From:      "The Electronic Payments Association" [alerts@nacha.org]
Subject:      Rejected ACH transaction

The ACH transfer (ID: 925071618701), recently initiated from your checking account (by you or any other person), was canceled by the other financial institution.

Rejected transaction
Transaction ID:     925071618701
Reason for rejection     See details in the report below
Transaction Report     report_925071618701.doc (Microsoft Word Document)

About NACHA
The ACH Network had its start in the early 1970's when a group of California bankers formed the Special Committee on Paperless Entries (SCOPE) in direct response to the rapid escalation of check volume in the United States. The Committee set out to explore the technical, operational, and legal framework necessary for an automated payments system, leading to the formation of the first ACH association in 1972. Similar groups soon formed around the country.
NACHA occupies a unique role in the association world, serving as both an industry trade association and administrator of Automated Clearing House (ACH) Network. As the industry trade association that oversees the ACH Network, NACHA provides services in three key functional areas:

13450 Sunrise Valley Drive, Suite 100

Herndon, VA 20171

2011 NACHA - The Electronic Payments Association

payments knowledge to further their professional development and benefit their employers. Offerings include in-person, desk-top, and distance learning courses, publications, and the Accredited ACH Professional (AAP) Program. Payments education offered by NACHA at the national level augments the rich offering of educational programs provided by the Regional Payments Associations throughout the country.

13450 Sunrise Valley Drive, Suite 100

Herndon, VA 20171

2011 NACHA - The Electronic Payments Association

Other subjects include:

• ACH transfer failure
• Rejected ACH transaction 
• Your ACH transaction 
• ACH transaction canceled 
• Rejected ACH transaction 

There's a link through to a hacked site, containing four embedded javascripts on other hacked sites which eventually lead to decalintos.com or neoprenpillar.com, both hosted on 193.106.174.219 (IQHost Ltd, Russia). This tries to download a variety of exploits (Wepawet report here).

IQHost seems to be over-run with this sort of toxic crap at the moment. Blocking access to 193.106.172.0/22 is probably a smart move.