More NACHA themed spam this morning that redirects victims through a hacked legitimate site to a malware laden page, this time hosted on evrymonthnighttry.com or glasseseverydaynow.com.
These sites are hosted on 46.183.217.119 (Dataclub, Latvia). I can’t see anything at all of value in 46.183.216.0/21 so blocking access to all of that range might be prudent.
It also attempts to load an exploit from a site called bbb-complains.org which is not resolving at present.
A couple of example emails:
Date: Thu, 15 Dec 2011 07:42:51 +0000
From: “[email protected]” [[email protected]]
Subject: Your ACH transaction detailsAttention: Accounting Department
This message includes an important information regarding the ACH debit transfer sent on your behalf, that was detained by our bank:
Transaction ID: 079788807282357
Transaction status: pendingIn order to resolve this matter, please use the link below to review the transaction details as soon as possible.
Yours faithfully,
Anthony Cooley
Chief Accountant
and
Date: Thu, 15 Dec 2011 07:30:43 +0000
From: “[email protected]” [[email protected]]
Subject: Your pending ACH debit transferDear Sir or Madam,
Please find below a report about the ACH debit transfer sent on your behalf, that was kept back by our bank:
Transaction #: 638798200851317
Status of the transaction: pendingIn order to resolve this matter, please review the transaction details using the link below as soon as possible.
Yours truly,
Kevin Hunt
Chief Accountant
Leave a reply
