Yet another round of fake NACHA spam leading to malware is doing the rounds, this time the payload is on ragsnip.com/main.php?page=111d937ec38dd17e hosted on 188.8.131.52 (Global Net Access LLC, Atlanta). Blocking access to the IP is preferable to the domain as there may be other malicious domains on the same server.
An example spam email from this run (it seems no different to all the other ones):
Attention: Accounting Department
This message contains a report about the ACH debit transfer sent on your behalf, that was detained by our bank:
Transaction #: 007457776956967
Status of the transaction: pending
In order to resolve this matter, please review the transaction details using the link below as soon as possible.
Leave a reply