14 DAY TRIAL // The malware distribution gang that sends spam emails purporting to come from the Electronic Payments Association (NACHA) has switched to using shortened URLs in its campaigns.
Posing as NACHA is not a new technique. It has been used since November 2009, however, a new campaign has been going strong for the past couple of weeks.
[ADMARk=1]The fake email messages bear many subjects, including "ACH payment canceled", "ACH payment rejected", "ACH transaction canceled", "ACH Transfer canceled", "ACH transfer rejected", "Rejected ACH payment", "Rejected ACH transaction", "Rejected ACH transfer", "Your ACH transaction", "Your ACH transfer."
The same variety is kept for the spoofed email addresses. These include: [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected] and [email protected].
The emails inform recipients that their ACH (Automated Clearing House) transfers have been canceled or rejected by their financial institution and directs them to an URL for more details. They read:
"The ACH transfer (ID: 65388185980), recently sent from your checking account (by you or any other person), was cancelled by the other financial institution.
"Please click here [link] to view details. If you have any questions or comments, contact us at [email protected]. Thank you for using http://www.nacha.org."
The links lead to websites that prompt users with updates for Java which are actually variants of the notorious ZeuS baking trojan.
According to Gary Warner, director of research in Computer Forensics at the University of Alabama at Birmingham (UAB), the gang behind this campaign was known for registering hundreds of domain names for each spam run.
However, it has recently switched tactics and are now abusing almost three dozen URL shortening services, many of which are obscure and are unlikely to respond to abuse reports.
The 2mb.eu service was the most abused based on the spam emails collected and analyzed by Mr. Warner's department. More than 1,000 malicious shortened URLs have been observed in this campaign.
Instead of leading to hundreds of domain names, all of the shortened URLs direct users to a page on mnuyspe.co.be which executes a drive-by download attack. Using this method spammers are able to keep a high level of variation in their emails, but a low cost for their campaign.