Date: Mon, 14 Nov 2011 17:53:54 +0100
Subject: Disallowed Direct Deposit payment
Dear Sirs,
Herewith we are notifying you, that your latest Direct Deposit transaction (No. 60795715105) was disallowed, because of your business software package being out of date. The detailed information about this matter is available in the secure section of our web site:
hxxp://astola.com.au/93oj63/index.html
Please apply to your financial institution to obtain the new version of the software.
Kind regards,
Sidney Gross
ACH Network Rules Department
NACHA - The Electronic Payments Association
13450 Sunrise Valley Drive, Suite 100
Herndon, VA 20171
Phone: 703-561-1100 Fax: 703-787-0996
and then
Date: Mon, 14 Nov 2011 02:42:02 +0530
From: accounting@victimdomain.com
Subject: Fwd: Wire Transfer Confirmation (FED 5697WN59)
Dear Bank Account Operator,
I regret to inform you that Wire transfer initiated by you or on your behalf was hold by us.
Transaction ID: 85802292158295165
Current status of transaction: under review
Please review transaction details as soon as possible.
Bernadette Dickinson
Payments Administration
and finally
Date: Mon, 14 Nov 2011 10:56:29 +0530
From: "HARMONY URBAN" support@federalreserve.gov
Subject: Your Wire Transfer
Good day,
Account: Business Account XXX
Amount: $ 93,056.63
Wire Transfer Report: View
The wire transfer will be processed within 2 hours.
Please make sure that everything is as you requested.
HARMONY URBAN,
Federal Reserve Wire Network
The first spam leads to a hacked site in Australia (there are probably many others). In turn, this tries to load four scripts to install malware though an HCP attack (Wepawet report here). The scripts are:
lallygag.com/js.js
www.miracleshappenrr.com/images/js.js
kyare.net/js.js
allmemoryram.com/js.js
In all cases, those scripts appear to be on legitimate (but hacked) websites. The final step for that attack is to try to install a malicious Java application from colobird.com/content/import.jar - a domain that is hosted on 216.250.120.100 but one that was only registered very recently.
The second and third emails take a different approach, loading a page at www.btredret.ru/main.php hosted on 93.187.142.38 (S.C. Profisol Telecom S.R.L., Romania). This attemps a Java exploit (Wepawet report here). This IP is part of a small netblock of 93.187.142.32 - 93.187.142.63 (93.187.142.32/27) and can probably safely be blocked, or you could just block the whole /24 if you wanted,
This is an old approach that has been doing the rounds for two years. It must still work though..