14 DAY TRIAL // The Automated Clearing House, a financial service offered by the U.S. electronic payments association NACHA, was impersonated in a campaign of spam messages sent out to unsuspecting users with the purpose of spreading malware.
The samples investigated by MalwareCity were pretty convincing, especially because they seemed to be sent from a legitimate NACHA email account.
After a quarterly report in which McAfee informed us on the record breaking minimum in spam campaigns, it looks like things took a wrong turn somewhere as a new wave of malicious operations has been witnessed in the past week.
This specific message, named “ACH Transfer Review,” informs the victim that a transaction has failed and that he needs to review the input data for the payment.
He is then asked to fill the application form attached to the email and send it back to the expeditor.
The attachment is represented by a zip file, which contains what seems to be a pdf document that needs to be reviewed by the recipient. On a closer look, the pdf file is actually an executable that installs a downloader on the soon-to-be infected computer. The downloader's purpose is to get other malware from the web and onto the computer.
A few moments later, the Zeus bot, also known as Trojan.Generic.6152125, is installed on the machine, closely monitoring all electronic financial transactions and sending out username and password information for a variety of services which might be of interest to the hackers.
Even though this online theft attempt looks like it really came from the payment association, Websense Security Labs gives us the real address from which the messages have been sent. The routing details from the message seem to come from a domain called “digitalskys.com”, the website of a wireless solutions company, probably used by the cybercriminals to mask their true identity.