The Latest in IT Security

There has been a ton of NACHA-themed spam today, here are some examples:

Date:      Wed, 7 Feb 2012 18:17:43 +0200
From:      [email protected]
Subject:      ACH payment canceled

The ACH transaction (ID: 8321348803546), recently initiated from your checking account (by you or any other person), was canceled by the Electronic Payments Association.

Canceled transaction
Transaction ID:     8321348803546
Reason of rejection     See details in the report below
Transaction Report     report_8321348803546.doc (Microsoft Word Document)

13450 Sunrise Valley Drive, Suite 100

Herndon, VA 20171

2011 NACHA – The Electronic Payments Association

================

Date:      Wed, 7 Feb 2012 17:13:42 +0100
From:      [email protected]
Subject:      Rejected ACH transaction

The ACH transaction (ID: 5999727582818), recently initiated from your bank account (by you or any other person), was canceled by the other financial institution.

Canceled transfer
Transaction ID:     5999727582818
Reason for rejection     See details in the report below
Transaction Report     report_5999727582818.doc (Microsoft Word Document)

13450 Sunrise Valley Drive, Suite 100

Herndon, VA 20171

2011 NACHA – The Electronic Payments Association

================

Date:      Wed, 7 Feb 2012 15:14:00 +0100
From:      [email protected]
Subject:      Rejected ACH transaction

The ACH transfer (ID: 5896958322102), recently sent from your bank account (by you or any other person), was canceled by the other financial institution.

Canceled transaction
Transaction ID:     5896958322102
Reason for rejection     See details in the report below
Transaction Report     report_5896958322102.doc (Microsoft Word Document)

13450 Sunrise Valley Drive, Suite 100

Herndon, VA 20171

2011 NACHA – The Electronic Payments Association

==================

Date:      Wed, 7 Feb 2012 15:58:54 +0200
From:      [email protected]
Subject:      Your ACH transfer

The ACH transfer (ID: 118757985791), recently sent from your bank account (by you or any other person), was rejected by the other financial institution.

Canceled transfer
Transaction ID:     118757985791
Reason for rejection     See details in the report below
Transaction Report     report_118757985791.doc (Microsoft Word Document)

13450 Sunrise Valley Drive, Suite 100

Herndon, VA 20171

2011 NACHA – The Electronic Payments Association

==================

Date:      Wed, 7 Feb 2012 13:15:17 +0200
From:      [email protected]
Subject:      ACH payment canceled

The ACH transaction (ID: 926663997526), recently sent from your bank account (by you or any other person), was rejected by the other financial institution.

Rejected transfer
Transaction ID:     926663997526
Reason for rejection     See details in the report below
Transaction Report     report_926663997526.doc (Microsoft Word Document)

13450 Sunrise Valley Drive, Suite 100

Herndon, VA 20171

2011 NACHA – The Electronic Payments Association

 The bad guys are using very heaving obfuscated javascript to try to hide what they are doing, but there is a malicious payload at the following URLs:

bluemator.com/search.php?page=73a07bcb51f4be71  [199.30.89.135 – Zerigo, US]
bluemator.com/content/adp2.php?f=126
hakkage.com/forum/index.php?showtopic=656974 [173.255.210.86 – Linode, US]
synergyledlighting.net/main.php?page=30e3ec8cd29abd6b [173.236.78.113 – Singlehop, US and 173.212.222.36 – HostNOC, US[
synergyledlighting.net/content/adp2.php?f=50

You can see a sample Wepawet report here and here.

Blocking access to the IPs  199.30.89.135, 173.255.210.86, 173.236.78.113 and 173.212.222.36 is probably a good idea..