NACHA Spam Gang Starts Using Shortened URLs

Thanks for the info. I just received one of these messages. I was suspicious even though it is a scenario that could happen.

Thank you for this article. I just received an email and was suspicious. However, it would be helpful if you could give advice on what to do. Should I just delete, or take further action?

I just received one and the e-mail had a .pdf attachment. When I looked at it more closely, without opening it, I noticed the .pdf.exe extension. I also knew I did not do any transactions so my suspicions were heightened.
I did a quick search and found out immediately that it was SPAM with a malware payload.

just got one this morning, my anti spyware program picked it up, money well spent

nacha.notification.center@nacha.com

got another spam email address to add in.

I just received one yesterday and again today via my business website email address. The address of the spammer in this one is:
account.manager@nacha.us
Add that one to the list. Thanks for letting me know it's spam. I'll keep deleting and block them.

I received one from account.manager@nacha.net

They are also using: account.manager@nacha.com. I didn't notice any .com's in the list above.

Thank you for this information!
I just receive this spam!

I have had two today. While attempting to send to the nacha website it could not be sent as it has a virus. Just thougth i would state this up front, so simply do not open up the file requesting you to open pdf as it does have virus.

I just received an attachment of report_082011-65.pdf.zip sent from account.manager@nacha.com. Also today's date is 8/30 but the email is dated as being sent on 8/3 at 2:13 am although it just arrived in my inbox.

There should be some sort of recourse for people who are being abused by these villains. Whom is responsible for prosecuting these people? I am sick and tired of dealing with these sorts of predators & not being able to do anything about it. Who's with me?

I vote for burying these folks up to their necks in e-waste and letting them sit for a while until they become really, really uncomfortable. Then, we dig them out and make them disassemble the waste for re-processing and re-use. Turn them to the good side!

I too have just received three of these types of emails. And had purchased a few items from an online store (I trust) a couple of hours before getting the first email. Both emails come from "account manager " and have the file "report_082011-65.pdf.zip" in all three emails. So they are hoping that you just see the "pdf" and open the file. Very tricky way to do, because most users wouldn't even see the "zip" part of the file name.

Being an IT Professional it just shows how these people waste there time and ours thinking well fall for this.

I agree with "Fed Up" that there should be away to go after this villains / criminals. And it needs to start with the Domain Registrar's and the email system as a whole.

TWICE received trojan, detected by Symantec Norton Anti-Virus, inside
"ACH Payment 0738443 Canceled.zip" from account.manager@nacha.com. My email header has nacha.com IP as 202.94.150.163 and also 209.62.20.200.

I RARELY ever give out my main email address. One of the online retail vendors I buy from must have sold my email address and I'm really * . Now I'm on a spammer's list. I expect to receive more of these types of emails in the future. Once they get your address, there's nothing you can do except just delete the email, change your email address, or add the offender's email address to your filter.

I just received one of these emails today, with a zipped attachment, stating that I had to open the form and complete it. It's amazing that this information is available here on Softpedia, but the FBI's IC3 division can't seem to nail down the culprits. Just another government waste of money for one more worthless division.

Van: ach@nacha.org Aan: my emailadress Subject: ACH Transfer Review

ACH transfer (ID:03847439) is going to be reviewed because of the incorrectly input data
when sending the payment.

Important:
Please, fill in the application form attached attentively and send it to us.
After that your transfer will be processed.

If you have any questions or comments, contact us at info@nacha.org.
Thank you for using www.nacha.org

Cathy McNickle
NACHA Risk Management Services

I sent them the following text back:

You are doomed. You will never sleep comfortable! At night i come to you and disturbing you at your sleep. Watch out and be sent to hell! You are doomed. When you send me a mail again, i come to you and take you away to Satan. You dont need to worry if it is cold where you were delivered.


I am not a medium. But I wish I could send them to hell.

"I sent them the following text back: You are doomed."

You can't send a message "back" because you don't have the spammers address... You just doomed somebody unrelated with a randomly chosen address from an (also otherwise completely) spoofed message.

I just received one of these emails with a .txt file.
I didn't open the file but did click on the link, how do you know if you've been f-ed... ??

They are now sending a zip file

Hunt them down and prosecute them!!!

Here is what I received today. The e-mail was titled "ACH Transfer Review" and was from 'achvdbed@nacha.org'. I was one of the 24 addresses it was sent to!!! That and the obvious spelling mistakes... It would be funny if I didn't think someone might fall for it! It had a .zip file, 'FormApp_2313' attached.

Dear Client,

ACH transfer (ID:27) is going to be reviewed because of the incorrecbtly
inpgut data
when sending the payment.


Important:
Please, fill in thee application form attbached attentively and send it to
us.
After that your transfer will be processed.

If you hdave any questioens or comments, contact us at info@nacha.org.
Thank you for using NACHA

Cathy McNickle
NACHA Risk Management Services

i received one yesterday......from from Cathy McNickle NACHA Risk Management Servises, promptly deleted because of suspicion.

David, Carnarvon Western Australia

I Also recieved another one: This time from manager@NACHA.net

Dear Valued Client,

We strongly believe that your account may have been compromised. Due to this, we cancelled the last ACH transactions:

-(ID: 34584306)
-(ID: 30400540)
-(ID: 22998155)
-(ID: 23108421)

initiated from your bank account by you or any other person, who might have access to your account.

Detailed report on initiated transactions and reasons for cancellation can be found in the attachment.

thanks guys fo the info i got an email from the ******** its del now :D

I got this message today, and another email account they use is mailto:notify350qxogi@nacha.gov So also add this to the list, thank you for your helpful information x

One of these emails arrived in my Spam Folder this morning. I immediately deleted it, as I do all spam, then googled NACHA out of curiosity, & found this link. What I want to know is how do these bastards get our email addresses???

I got fifteen emails at the time from ach01@nacha.org every third day for two weeks. Dated 2011-08-03. It ens up in my spam box, got the message it contains a trojan.

It is sick what is going on right now. I don't see how NACHA can continue to do business under this name much longer. I can't help but feel that NACHA is criminally negligent at this point.

so I opened this email on my iphone. Instantly realised my mistake deleted it.

opened up my computrer, and the anti virus saw it in my inbox, and instructed me that really I should get rid off before opening. I did this for my laptop, but is my iphone screwed?

They also run of the same wireless hub - am I really screwed?

The term "criminally negligent" is overly harsh, Nacha.org are being targeted as well. I get spam from all kinds of banks and social networks, legitimate companies that are being targeted can't just change their names or domain names at the drop of a hat, and that is no guarantee it won't happen. Let's be clear who the criminals are - the Spammers! There is legitimate spam where people opt-in, then there is criminal spam. This is criminal spam. Also, somebody said something about the FBI being incompetent - remember a lot of these communications are coming from foreign countries and the FBI does not have jurisdiction, and it could take a long time to work thru local channels, but that time the spammers close up shop and start fresh somewhere else. These criminal spammers are scum of the earth.

I just got one of these emails. Fortunately the URL was blocked by Firefox. However, what disturbs me (and what made me click the link, despite suspicions) is that I did do a wire transfer of money (not something I commonly do) at just about the time that the phishing email was sent out. This implies that the crooks have inside information about when wire transfers are sent and about the identity (or at least the email) of the people arranging them.

Not necessarily. I don't make any transfers and I do get these spam messages. It's a shotgun approach, they send it to thousands, most recipients ignore it, but statistically a few in the right situation (as you) will fall for it.

Thanks for the information. I received this email today and started searching in Google. This information truely helpful.
Cheers,

I received a suspected fraudulent message even though I have got good anti-virus security installed on my PC. I was suspicious so I immediately forwarded it to: abuse@NACHA.ORG who replied stating : " Your cooperation will assist in our efforts with security experts and law enforcement officials to pursue the perpetrators."
If everyone who receives these suspicious emails forwards them to the above address then maybe the culprits will be caught quickly.

I just received 36 of these emails spam caught them all.

You are lucky, would love to know which anti spam software you are using!!

Just received an e-mail with .pdf.exe attachment. Interesting thing is that i just initiated a NEW electronic transfer so their timing was impeccable. Luckily I looked this up on the interent before I did anything else.

I got the same email from transactions@nacha.org. I have to admit I opened the email and after reading the txt I opened the link because I had just purchased something online! also my email spam program let the email through which never happened before...but when I hit the link my internet explorer couldnt open the pdf. it said 404 Error or something like that. So the actual page didnt open and I didnt download anything.... Do I still have to suspect any concequences? help???

you were lucky.

Received the following fake email on 14-Nov-2011:
From: Caspar Gamble [alcamal@royaltitleco.com]
Subject: Declined Direct Deposit payment

The email includes a link (http) containing 'atscaf.fr'

Thank you

Got an email exactly as described,was suspicious so decided to google it and found your article,many thanks!

I received an email this morning to my work email. We are a debt collection agency and we do tons of ACH payments, physical and electronic, daily. Through experience, I knew almost immediately this was spam. I forwarded the email to "abuse@nacha.org" like their website instructs you to do to aid their efforts in stopping this. I am going to copy and paste the whole email so everyone knows what it looks like (personal email address taken out for privacy):

From: The Electronic Payments Association [alerts@nacha.org]
Sent: Tuesday, November 22, 2011 4:26 AM
To: ****@*******.com
Subject: Rejected ACH transaction


{NACHA company logo}

The ACH transaction (ID: 469568098377), recently initiated from your checking account (by you or any other person), was rejected by the Electronic Payments Association.

Canceled transfer

Transaction ID:
469568098377

Reason of rejection
See details in the report below

Transaction Report
report_469568098377.doc (Microsoft Word Document)
{^^hyperlink^^}

About NACHA
By 1978, it was possible for two financial institutions located anywhere in the United States to exchange ACH payments under a common set of rules and procedures. By 1988, the number of ACH payments exceeded 1 billion annually. By 2001, the volume of ACH payments grew by more than 1 billion in a single year.
More than 18.2 billion ACH payments were made in 2008, an increase of 1.2 billion over 2007. ACH payment volume continues to double every five years. The 2007 Federal Reserve Payments Study revealed ACH payments had the largest compound annual growth rate, 18.6 percent, of all U.S. non-cash payments.

13450 Sunrise Valley Drive, Suite 100
Herndon, VA 20171

2011 NACHA - The Electronic Payments Association

{END OF EMAIL}

Everyone has been talking about the attachment or link being either a .ZIP or a .PDF.EXE file but the attachment I got was a .DOC. These criminals are very very sneaky. To the unsuspecting/oblivious, a DOC file looks legit. If I hover over the link I see that it is a hyperlink to a website: http://oramamed.com/qid2rm/index.html (PLEASE DO NOT ATTEMPT TO GO THERE) This scam/phish/trojan/malware attack is evolving and getting smarter... Please spread awareness and maybe we can stop this.

Excellent info. I just got one of these. Thank You.

Thanks for the posting. I just got one and they have changed to a different email type and the person it came from was identified as Sylvia.Dougherty@deloitte.com but in the email, her signature line says NACHA and she references a recent ACH transaction. I emailed deloitte.com and deleted the bogus email without opening it.

We just received one of these "ACH Transaction Reports" from risk@nacha.org with a reply to Linkedin
It also shows a "report 950373605XXXX.doc Transaction report". I believe this to be a phishing attempt.
RRF

Thank you for explaining that. I've just received one in my inbox too! The buggers!!!

I have recd. an email from payment@nacha.org (.) Thanks for the inf. (.)
Also suggest what to do with this sort of messages, whether to delete without opening or to block (.) How to avoid such messages (.) Can anybody help ?

Some IP addresses I found for these emails

98.138.91.56
98.138.90.49
98.138.84.38
127.0.0.1
98.138.91.166
106.10.149.1
106.10.166.62
106.10.167.170
127.0.0.1

Hack the hackers if you can. (Also. if you have a hotmail, you can rioght click on the message and hit "View Message Source" and it will give you this information. Many of these look similar, which might mean they are using a proxy. but the best way to get at them is to slow that server down so much that it is unusable.

I am sending this as I do not know what to do about this.. what is it?
As you requested with your variable amount flexible recurring wire instructions, we process a wire transfer to HFG HEALTHCO-4 every day.

You have asked us to continue sending wires until notified.

On May 17, 2012 we processed a wire per this instruction in the amount of $5,023.87

If you want to stop sending wires, please login https://businessaccess.citibank.citigroup.com/cbusol/signon.do and make changes, or you may contact us by Secure Email.
Do I leave it alone or what