Data443 & Cyren
Products
- - - Products
    - For OEMs
    - Malware Detection
    - Malware Analysis
    - URL Categorization
    - Email Security
    - Threat Intelligence
    - For Enterprises
    - Malware Analysis
    - Inbox Security for Office 365
    - Threat Intelligence
  - - In the News
      
      Online Businesses Become a Phisher’s Playground
      Not nearly enough businesses have deployed sufficient security measures against phishing attacks through website builders and CMS platforms.Read Article on DarkReading >
      
      Go to Newsroom >
Solutions
- - - Expert Support
      
      Cyren’s dedicated security analysts have the expertise to deeply investigate sophisticated threats – their embedded documents and messy code.
      
      And from their vantage point across companies, geographies, and industries, analysts can track emerging attack vectors and prevent breaches.
      
      “For any false positive or user reported items, we do not need to be involved. Cyren’s dedicated team is on top of all these items.”
      
      via Gartner Peer Insights
Resources
- - - Recent Posts
      - Analyzing behavior to protect against BEC attacks December 22, 2022
      - Using NLP techniques to protect against BEC attacks December 8, 2022
      - Phishing with QR codes December 1, 2022
Company
- - - Company
    - About Cyren
    - Careers
    - Management
    - In the News
    - Contact Us
  - - In the News
      
      Online Businesses Become a Phisher’s Playground
      Not nearly enough businesses have deployed sufficient security measures against phishing attacks through website builders and CMS platforms.Read Article on DarkReading >
      
      Go to Newsroom >
BOOK A DEMO

Select Page

Cyren Security Blog

The Cyren Security Blog is where Cyren engineers and thought leaders provide insights, research and analysis on a range of current cybersecurity topics.

Updated: NACHA Payment cancelled – scam continues

In February 2011, NACHA alerted the public about fraudulent emails being distributed that appeared to be sent from NACHA and signed by a non-existent NACHA employee. We reported this campaign back in June 2011 but it has come back in the past 2 weeks with a new twist to trick the users into opening a malicious executable. The email (shown below) includes a URL link to “the report”.

Email text

The ACH transaction (ID:———), recently initiated from your checking account (by you or any other person), was cancelled by the other financial institution.

Rejected transaction

Transaction ID: ———-

Transaction Report: www.nacha.org/reports/index.php?number=——-

Clicking the link doesn’t lead to “nacha.org/reports/index.php” but to the malicious site which prompts for the download of an executable file as seen below.

We detect the downloaded file “report_270918123.pdf.exe” as W32/Zbot.BDD. This variant of zbot uses pseudo-random domain names and attempts connections with each to download a configuration file as seen below. This malware focuses on stealing sensitive financial data (email credentials, online banking login details, etc.).

The IP addresses above belongs to Dankon Ltd. in Russia. We recommend blocking the following range of IP addresses “193.27.246.0 – 193.27.247.255” which belongs to Dankon Ltd.

NOTES:

According to NACHA.org, NACHA itself does not process nor touch the ACH transactions that flow to and from organizations and financial institutions. NACHA does not send communications to individuals or organizations about individual ACH transactions that they originate or receive. So don’t be fooled by this ACH transaction email scam.

Update:

A new variant of the downloaded NACHA file uses Adobe Flash Exploit – CVE-2011-0611 and Java Plugin LaunchJNLP DocBase Exploit – CVE-2010-3552 to be able to download and execute a binary file from the URL “hxxp://brightnix.com/w.php?f=21&e=8”. We detect this malware as W32/Zbot.BDD.

Updating Adobe Flash Player and JAVA Plugin to their latest versions will protect you against this threat.

We recommend blocking the IP addresses 67.195.140.36 and 194.219.29.139.

Oct 5, 2011 | Security Research & Analysis

Categories

You might also like

Analyzing behavior to protect against BEC attacks

Business Email Compromise

Understanding “normal” behaviors in email exchanges are key to combating advanced phishing and BEC attacks by John Stevenson Detecting Business Email Compromise (BEC) In the final part of our series of blogs on Business Email Compromise (BEC), it’s time to look at how...

Using NLP techniques to protect against BEC attacks

Business Email Compromise, Office 365, Phishing

How Natural Language Programming help combat phishing and BEC attacks by John Stevenson Business Email Compromise (BEC) Business Email Compromise (BEC) covers a range of email attacks that typically share a common core attribute. There is no obvious executable...

Phishing with QR codes

Phishing, Security Research & Analysis

Don’t Scan or be Scammed By Maharlito Aquino, Kervin Alintanahin and Dexter To In 1994, a type of the matrix barcode known as the Quick Response code, now widely known as QR code, was invented by Masahiro Hara from a Japanese company Denso Wave. The purpose of the...