This time there is no suspicious attachment, only a suspicious link

Sep 28, 2011 10:15 GMT  ·  By

Not long ago it was used in a spam campaign and now the Automated Clearing House's name is once again stained by a malicious email that's running around.

Websense revealed that they've been monitoring these emails and unlike last time, the messages don't contain any attachments, the malware taking the form of an innocent looking link.

“ACH Payment xxxxxx Canceled” is the subject of all the emails that spread infections throughout the internet. The xxxxxx part in each email is changed in case two potential victims who know each other and both receive the same alert, won't sniff out the malevolent plot right away.

The user is warned that a recent transaction made from his checking account was cancelled by “the other financial institution” and a report link is shown on the page where “details” can be checked.

Instead of the nacha.org address that is listed, you are redirected to a domain called huntcheerful.com which appears to be down for the time being.

The location actually hosts a Blackhole exploit kit, one of the most widely deployed exploits seen in the wild.

VirusTotal showed the file as being a clear infection, most anti-virus providers detecting it a Zbot. Microsoft identified it as PWS:Win32/Zbot.gen!AF, a password stealing trojan that also contains backdoor functionality, giving the cybercriminal unauthorized access and control of the affected computer.

It is also known to install its code to other devices when a Remote Desktop Services connection is available.

Websense found more than 200,000 such messages so we're clearly dealing with a potentially large number of infections.

Because most anti-virus applications picked up the threat, anyone with an up-to-date virus database should be safe. Also, be extra careful when it comes to financial transactions related notices. As we've witnessed here, it's not difficult for a hacker to make a malware containing link seem apparently genuine.