Rejected ACH transaction
Rejected ACH payment
Your ACH transfer
…

The email is send from the spoofed addresses like:

“\”The Electronic Payments Association\” risk.manager”@nacha.org
“\”The Electronic Payments Association\” alerts”@nacha.org
“\”The Electronic Payments Association\” risk”@nacha.org
“\”The Electronic Payments Association\” transfers”@nacha.org
“\”The Electronic Payments Association\” ach”@nacha.org
“\”The Electronic Payments Association\” payment”@nacha.org
…

The email has the following body:

The ACH transaction (ID: 02710822288793), recently sent from your checking account (by you or any other person), was rejected by the Electronic Payments Association.

Canceled transaction
Transaction ID: 02710822288793
Reason for rejection See details in the report below
Transaction Report report_02710822288793.doc (Microsoft Word Document)

13450 Sunrise Valley Drive, Suite 100
Herndon, VA 20171

2011 NACHA – The Electronic Payments Association

A sample of the email:

The URLs for the transaction report are different and in some cases no longer valid. Some examples:

hxxp://minalimo.com/f9oYYmiY/index.html
hxxp://maerlipinte.ch/LaV4inWa/index.html
hxxp://hotel-sicily.it/aRpcdCjd/index.html
…

One of the URLs did give us a result: hxxp://ftp.samisalami.com/8KQZuSAy/index.html.

When investigating the HTML code of this web page we got the following:

<html>
<h1>WAIT PLEASE</h1>
<h3>Loading…</h3>
<script type=”text/javascript” src=”hxxp://firstnamestore.com/utn08WYD/js.js”></script>
<script type=”text/javascript” src=”hxxp://ftp.adamsmarketing.com/VRssE3iH/js.js”></script>
<script type=”text/javascript” src=”hxxp://mediapoolstarnberg.de/WrqeCaoy/js.js”></script>
<script type=”text/javascript” src=”hxxp://paolomisirochi.com/nqrmZKRC/js.js”></script>
<script type=”text/javascript” src=”hxxp://lonnytyler.com/MZF0uXsc/js.js”></script>
<script type=”text/javascript” src=”hxxp://orquestrachapo.com/jAmCDzeM/js.js”></script>

</html>

As you can see, some Javascripts are loaded when opening this web page. Some URLs to the javascripts are also obsolete but some of them returns the code: “document.location=’hxxp://sulusate.com/forum/index.php?showtopic=997439′;”.

The above URL gives us the web page with the following code:

<body>
<applet code=’Verifa.class’ archive=’rhi.jar’ width=’24′ height=’22′>
<param name=”dest” value=”lxxt>33wypywexi2gsq3jsvyq3pseh2tltCwls{jsvyqAvlmrs”>
</applet>
</body><body>
<applet code=’Ooo.class’ archive=’Ooo.jar’ width=’24′ height=’22′>
<param name=”dest” value=”lxxt>33wypywexi2gsq3jsvyq3pseh2tltCwls{jsvyqAsfi”>
</applet>
</body>

When opening the URLs  in a web browser – something we do not recommend to even try – you will get redirected to bing.com or another web site so you won’t see this code.

It seems that some javascript is obfuscated and that .jar files are involved here inside an applet. The risk is that these applets in java could contain malicious code. Ooo.jar is however related to OpenOffice but in this case it can also be used for phishing.

This email is a security risk – a virus or a phishing attempt – for sure so do not follow any URLs or open files.

Amsterdam Code :

007498.

Geachte Rabobank. klant,

Rabobank is niet in staat om uw rekening te verifieren.

Uw rekening moet zo snel mogelijk gecontroleerd worden.

Uw kunt dit doen door de onderstaand link te download met ur system.

Opmerking: U zal gecontacteerd worden door een van onze medewerkers van Rabobank voor meer informatie over dit nieuwe systeem.

Hoogachtend,

Customer Service,

Rabobank.

*Belangrijk*

Werk uw administratie op of voor 48 uur, een gebrek aan uw administratie bij te werken zal resulteren in een tijdelijke greep op uw geld.

© 2011 Rabobank. N.V. Nederland? . All rights reserved.

The email comes with an attachment named Activeren.html and this HTML files contains a web form that will submit the details to the host hxxp://www.paminklaita.lt/images/go.php.

As always, MX Lab advises not to fill in any details when receiving emails from your bank with HTML attachments included.

ABN AMRO Systeembeveiliging

The first variant, with a very good lay out and style, comes with the subject “ABN AMRO Systeembeveiliging” or “ABN AMRO Systeembeveiling” and is sent from the spoofed email address “ABN AMRO NV <customercare@abnamro.nl>”.

This will redirect you to hxxp://www.clumber.net/abnamro/abn.html.

When filling in al the details a redirect to the real ABN Amro is executed.

Belangrijk bericht van ABN AMRO Bank

The second variant comes with the subject “Belangrijk bericht van ABN AMRO Bank” and is sent from the spoofed email address “ABN AMRO Bank <klant.services@abnamro.nl>”.

Beveiliging Message Alert van ABN AMRO Bank

Another variant comes with the subject “Beveiliging Message Alert van ABN AMRO Bank” and is sent from the spoofed email address “ABN AMRO BANK <customer.services@abnamro.nl>”.

Installatie mijn ABN AMRO Bank

This one comes with the subject “Installatie mijn ABN AMRO Bank” and is sent from a random spoofed email address.

This one will redirect you to hxxp://70.38.120.162/~abnsecbk/secure/.

ABN-AMRO BANK

This last one comes with the subject “Belangrijk Nieuws Mijn ABN-AMRO Bank” and is sent from a random spoofed email address.

MX Lab offers it’s zero hour anti virus, managed anti spam and email archiving services at a lower price of € 7 per user per year*, a huge € 2 per user discount, and the great news is that you only need to request a 15 day trial and change your MX records to make use of our service.

Our special promotion price also affects our other services like Email Archiving or the Hosted solutions. Visit our web site for a full pricing overview.

Request your 15 day trial today!

Are you active as an IT solutions provider and want to offer the MX Lab services to your clients? Do not hesitate to contact us and join the MX Lab Partner Program and benefit for the special pricing as well!

* MX Lab offers its services at a special promotion price until 31 December 2011. In order to obtain the promotion you will need to request a 15 day trial and use the trial account by modifying your MX records in order to use the MX Lab service. Each trial that is converted in a subscription at the end of the trial will benefit of the special lower price for one year.

The email is  has the following body (including the SNS Bank logo on top):

Geachte klant,

SNS is niet in staat om uw rekening te verifiлren. Uw rekening dient zo snel mogelijk geverifieerd te worden.

U kunt uw rekening simpel weg verifiлren door op de volgende link te klikken.

Om de procedure te starten download en klik op de onderstaande link.

Lukt dit proces? Dan word u doorverwezen naar het Klantenservice van sns.nl

SNS bedankt u voor uw medewerking

Hoogachtend,
Klantenservice,

Ga snel naar:

© 2011 SNS Bank
SNS Bank
Inloggen
Disclaimer
Privacy- en cookiereglement
Over SNS Bank
Klantenservice

The email has the attachment SNS_RekeningActiveren. Once downloaded and openen we found the following web form to fill in:

The web form will submit the filled in details to hxxp://www.couvreurrivesud.ca/images/go.php and redirect you to the official and real SNS Bank web site.

Phishing attempts with attachments are not new. It is one of the techniques we’ve seen emerging last year in order to avoid interception by URL filters when emails are scanned. Even today we see several different campaigns based on this technique.

The phish looks very good and is well designed. The spoofed emailaddress, the logo, layout and even the footer matches. Images are taken from the web server http://pics.ebaystatic.com/. One small thing to notice is that in the footer the word “Unsubscribe” doesn’t have an unsubscribe option but apart from that, this phish scores.

The URL points to hxxp://www.mittemaedchen.de/twg176/admin/www.paypal.co.uk/details.php?cmd=_login-done&login_access=1193476743.

At this form, the phishers will take over the filled in details and redirect you to a new screen.

The form does warn you when some fields are not filled in but doesn’t check if the VISA card number matches with the verification number to validate the card number.

After this screen you are redirected to the official PayPal web sites at the login screen.

Note: at the time of writing Firefox did not issue a warning regarding this phishing site.

The email caught our attention because the Dutch version is quite good. This is the body text:

Het is u ongetwijfeld niet ontgaan dat wij de laatste tijd doelwit zijn van internetcriminaliteit. Om te voorkomen dat deze internetcriminelen misbruik van uw rekening kunnen maken hebben wij onlangs een waarschuwing gepubliceerd. Ondanks deze waarschuwingen komt het helaas nog te vaak voor dat er internetcriminelen misbruik maken van ons beveiligingssysteem. Wij verzoeken u daarom direct te controleren of uw saldo en gegevens nog correct zijn.Tevens verzoeken wij u om uw telefoonnummer bij ons te registreren zodat wij u kunnen bereiken in geval van fraude. verifieren door op de volgende link te klikken..

Controleer nu uw gegevens

Wij willen u er nogmaals op attenderen dat een link naar onze website altijd begint het https://mijn.ing.nl dit is namelijk een beveiligde link met 128 bits encryptie. Bedankt voor uw aandacht en medewerking.,

Customer Service,
2011 ING BANK Nederland

However, let’s analyze the email. At the end of the first paragraph we noticed that the sentence “verifieren door op de volgende link te klikken..” is not complete.

And then, the text below the URL mentions “een link naar onze website altijd begint het https://mijn.ing.nl dit is namelijk een beveiligde link met 128 bits encryptie”. Translated to English it says “a link to our site always starts https://mijn.ing.nl because this is a secure link with 128-bit encryption”. When hovering over the URL under “Controleer nu uw gegevens” we have the URL hxxp://www.apartamentainaglis.com/en/includes/Cache/includes/default.html which is clearly not an https or secured connection as they mentioned in the standard copied text.

So, if you ever receive such a phishing email, take a look at the fine details. In most cases, you can identify a phish by such poorly formatted emails.

Firefox warns about this phishing attempt and the account is already disabled at the hosting company.

The recipient is informed that his Adwords campaigns stopped running as of this morning Monday, September 26, 2011.

This is the full content:

We stopped running your Google ads this morning (Monday, September 26, 2011).

Dear AdWords Advertiser,

We had encountered a number of issues when reviewing your ads this morning and we stopped running them. We will review them again and make the necessary changes that will allow to run your ads without any problems.

lightbulbClick here to review your ads and let us know if we made a mistake.

We’ll often stop running your ads until we are able to make the necessary updates. As soon as we made and saved the changes, your ads are automatically resubmitted to us for review.

Please note: If you do not verify the status of your Adwords account and notify us if your ads do not appear online we can not help you and your ads will stay offline for the next few days.

2011 Google is a trademark of Google Inc. All other company and product names may be trademarks of the respective companies with which they are associated. 1600 Amphitheatre Parkway Mountain View, CA 94043

The included URL leads to hxxp://www.google-ars.com/accounts/?ServiceLogin?service=adwords and brings the visitor to the following login webpage.

The login page will request the page login.php and redirect the visitor to an official Google AdWords page http://adwords.google.com/support/aw/bin/answer.py?hl=en&answer=142731.

Now, when I was looking at the above page it made me wonder if this version of the login page is still up to date. I surfed to the Google Adwords page and got the following

It seems to me that the authors of this campaign didn’t take the effort to check the design and layout of the phishing login page and modify it to the changed design that is online at Google. Never mind, it’s even better for us to see the difference between an real site from Google and an phishing attempt.

The body of the email:

The URL points to hxxp://www.google-hs.com/accounts/?ServiceLogin?service=adwords&hl=en_US and this will redirect visitors to hxxp://adwords.google-oa.net/adwords/?ServiceLogin?service=adwords&hl=en_US

The emails is send from the spoofed email address srvcs@hmrc.gov.uk, and possible other combinations, and has the following body:

Dear Applicant:

Following an upgrade of our computer systems and review of our records we have investigated your payments and latest tax returns over the last seven years our calculations show that you have made over payments of GBP 178.25

Due to the high volume of refunds due you must complete the online application, the telephone help line is unable to assist with this application. In oder to process your refund you will need to complete the application form attached to this email.Your refund may take up to 6 weeks to process please make sure you complete the form correctly.

NOTE: If you’ve received an Income Tax ‘repayment’ it will either be following a claim you’ve made or because HM Revenue & Customs (HMRC) has received new information about your taxable income or entitlement to allowances. The refund may come through your tax code or as a payment and could relate to the current tax year or earlier years.

An Income Tax repayment is a refund of tax that you’ve overpaid. So, if you’ve paid too much tax for example through your job or pension this year or in previous years HMRC will send you a repayment. You’ll get the repayment by bank transfer directly to your credit or debit card.

————————————————————–

Copyright 2011, HM Revenue Customs UK All rights reserved.

Attached to the email is an HTML page with the name Refund_Form.htm. Once opened you will have a webform to submit your personal details together with your credit card details.

When looking into the HTML source code we can find that the layout and images are directly taken from the http://www.hmrc.gov.uk/ web site. The form data itself will be directed to hxxp://www.hotel-bergara.com/cgi-bin/mailform.cgi. When submitting data you will be redirected to the HM Revenue & Customs web site. The forms hidden values shows us that the data is sent to govukgov@yahoo.com.

We also have a second example where the email contains an URL to the phishing web site instead of an embedded attachment in the message.