Network News

X My Profile
View More Activity

Nastygram: Beware the NACHA gotcha


Cyber thieves on Thursday began blasting out millions of e-mails impersonating NACHA - The Electronic Payments Association, a not-for-profit group that develops operating rules for organizations that handle electronic payments, from payroll direct deposits to online bill pay services.

The missives in this latest scam arrive with various subject lines, but all complain about an unauthorized, rejected or failed ACH transaction. Most regular Internet users probably will ignore this message, as few people probably even know what ACH stands for (ACH, or "automated clearing house" refers to the electronic network used by banks to process credit and debit transactions in batches). That's likely just fine with the attackers, who appear to be targeting bookkeepers at small to mid-sized companies -- people who actually recognize what a failed or rejected ACH transaction can mean for their business's bottom line and reputation.

According to an alert at the real NACHA Web site, the bogus messages look something like this:

From: [] Sent: Thursday, November 12, 2009 10:25 AM To: Doe, John

Subject: Rejected ACH transaction, please review the transaction report

Dear bank account holder,

The ACH transaction, recently initiated from your bank account, was rejected by the Electronic Payments Association. Please review the transaction report by clicking the link below.

Unauthorized ACH Transaction Report (this is the how the link is presented)

Recipients who click the link in the e-mail are brought to a counterfeit NACHA Web site that offers a phony "transaction report" that harbors a copy of Zeus/Zbot. This same piece of malware has been responsible for attacks on thebanking accounts of dozens of businesses chronicled by Security Fix over the past few months, exploits that have cost individual companies hundreds of thousands of dollars.


Researchers at the University of Alabama, Birmingham are tracking more than 30 fake NACHA sites that are serving malicious software in connection with this attack. The school reports that only about 16 out of 41 popular anti-virus products currently detect the "transaction report" as malicious.

By Brian Krebs  |  November 12, 2009; 6:44 PM ET
Categories:  Latest Warnings , Nastygram , Safety Tips  | Tags: nacha, zeus  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Brazilian Govt: Soot, not hackers, caused '07 blackouts
Next: Security update for Apple's Safari Web browser


The validity of the old rule - don't click on email links ! - is herewith once again demonstrated. But that so few of the popular anti-virus products investigated by Virustotal detected this malware as malicious is frightening, given that many users seem to believe that if one has such a product installed, one doesn't need to take care when surfing the web or dealing with one's email. Thanks for the alert, Brian !...


Posted by: mhenriday | November 13, 2009 8:49 AM | Report abuse

Thanks for the timely alert - I forwarded this on to my finance director who, not only reported seeing this in her spam folder, but also mentioned that she received a phone call "warning" her of the same issue.

Posted by: nullconnect | November 13, 2009 10:19 AM | Report abuse

I sent this article to a client and found that they were indeed receiving the emails.

This is great stuff... Keep up the good work.


Posted by: fchaffin | November 13, 2009 3:28 PM | Report abuse

Our PAC filter has been set to block the look-alikes with the following rules:

GoodDomains[i++] = "";

BadHostWordStarts[i++] = "nacha\.org";

The pattern is long enough that I can make the blocking a little stronger with this:

BadHostParts[i++] = "nacha\.org";

Here is where the PAC filter lives:

The rule of thumb for malware is that if it is less than a megabyte then it can easily have its variable names changed, dummy variables and structures added and other things altered and be easily recompiled. All of the binaries are then scanned at VirusTotal to make sure it passes muster. Once they tweak it enough out the door it goes. Most of the stuff I work at discovering and blocking when it is day 0-3 has at best 4 / 41 and at worst 0 / 43 detectinon at VirusTotal. So don't depend on AV completely. OTOH, do NOT turn it off or uninstall it either!

With the advent of the flash bug and its repercussions on how JavaScript and other scripting in general can be abused you should also put on either NoScript or Flash Killer in Firefox. For IE there is Toggle FLash. I forgot what it was for Safari and whether or not it was a built in or not but it is there. But use something to curtail the scripting. My hosts file and our PAC filter as well as AdBlock Plus with the EasyPrivacy subscription will also curtail it. But the days of unlimited scripting on the Internet seem to be over.

Posted by: hhhobbit | November 18, 2009 3:51 AM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company