A new wave of spam emails are targeting business users and attempt to infect them with a variant of the ZeuS banking trojan by posing as ACH transfer failure notifications.
According to researchers from antivirus vendor Trend Micro who analyzed the campaign, the emails purport to come from NACHA – The Electronic Payments Association, the regulatory agency for the Automated Clearing House (ACH) network.
The ACH network is commonly used by companies to process large volumes of credit and debit transactions, such as payroll or vendor payments, in batches.
According to Gary Warner, director of research in Computer Forensics at the University of Alabama at Birmingham (UAB), the emails have subjects like "ACH transaction cancelled", "ACH Transfer rejected", "Your ACH transaction" and other such variations.
The body message is always the same and reads: "The ACH transaction , recently initiated from your bank account (by you or any other person), was rejected by the Electronic Payments Association. Please click here to view details."
The link takes recipients to a website pushing a fake Java update that is actually a variant of the infamous ZeuS (Zbot) information stealing trojan.
One of the more interesting aspects of this attack is the large number of domains with ACH in their name registered particularly for this spam run.
At the moment, malware distributors prefer using compromised legit websites because they are cheeper and easier to replace when they lose control over them.
Registering so many domains for a single campaign is somewhat of an excess and suggests the people behind this attack don't lack financial resources and the return on investment they expect justifies the costs.
Another trick used by these spammers is the forging of headers to appears as if the emails originate from thousands IP addresses, when in fact they come from just a few. Also, there are clear indications they are being sent from compromised Gmail accounts.