Powered by Movable Type 3.121
Home The Book Training Events Tools Stats
Web log archive.
A Dispatch

« Back to Spam | Main | Fotos of Girls Attached...NOT! »

September 08, 2011

The ACH and NACHA Pestilence

By now, every email user and his/her mother must have received a message referring to something called an ACH transaction. Here are a couple of recent samples:

From: "account manager" <account.manager@nacha.net>
Subject: NACHA security nitification

Dear Valued Client,

We strongly believe that your account may have been compromised. Due to this, we cancelled the last ACH transactions:

-(ID: 31832211)
-(ID: 59887961)
-(ID: 20998130)
-(ID: 31053612)

initiated from your bank account by you or any other person, who might have access to your account.

Detailed report on initiated transactions and reasons for cancellation can be found in the attachment.

[Attachment: Report-8764.zip (12KB)]

From: "account manager" <account.manager@nacha.net>
Subject: ACH Payment 7073592 Canceled

ACH Payment Canceled

The ACH transaction (ID: 96840217),
recently initiated from your checking account (by you or any other person),
was canceled by the other financial institution.

Rejected transaction

Transaction ID: 8574210513218

Reason for rejection: See details in the attachment

Transaction Report: report_082011-65.pdf.exe (self-extracting archive, Adobe PDF)


13450 Sunrise Valley Drive, Suite 100 Herndon, VA 20171 (703)561-1100 2011 NACHA - The Electronic Payment Association

The real NACHA (at nacha.org) oversees electronic payment rules used by financial institutions. I doubt many consumer recipients of these malware-laden email messages have heard of NACHA or the ACH (automated clearing house) network through which payments flow. That only ramps up a recipient's curiosity about the attachment, and the crooks know it.

Unfortunately, the Trojan loader attachments have been updated daily (if not more frequently) to evade detection by antivirus software. It's not uncommon for a fresh attachment to be recognized by fewer than 20% of the products tested by VirusTotal for many hours.

The perpetrators of this trick really hope to hit the motherlode by reaching the inbox of a corporate worker who knows about the ACH network and is involved with financial transactions. Once the crooks have slithered their way onto victims' PCs, all kinds of logging code can be loaded onto the machines, and the serious thievery can begin (e.g., initiating bank transfers to money mules).

NACHA is well aware of these scamming email messages. Here is the important part of their message to potential victims:

NACHA itself does not process nor touch the ACH transactions that flow to and from organizations and financial institutions. NACHA does not send communications to persons or organizations about individual ACH transactions that they originate or receive.

In other words, any message you receive about an individual transaction claiming to be from NACHA is completely bogus. That should be enough of a signal to the smart email user that the attachment should be avoided at all cost.

Posted on September 08, 2011 at 10:31 AM