Friday, February 25, 2011

"ACH Transaction Rejected" payments lead to Zeus

On February 23rd, our friends at Trend Micro reported that ACH Leads to Fake Java Update. Looking into this campaign in the UAB Spam Data Mine we found some interesting characteristics about the spam campaign.

We've seen NACHA, the National Automated Clearing House Association, used as bait for a Zeus trap before. See our article from November 2009, Newest Zeus = NACHA The Electronic Payments Association.

The spam body, containing a random signator name and random domain reads:

===========================================================================

The ACH transaction , recently initiated from your bank account (by you or any
other person), was rejected by the Electronic Payments Association.

Please click here to view details

------------------------------------------------------------------

Benjamin Grant,
Fraud Department

==========================================================================

Here are our counts by Subject so far for this campaign:

count | subject
-------+---------------------------
1656 | ACH Transfer cancelled
1620 | Your ACH Transfer
1558 | ACH Transfer rejected
1598 | Your ACH transaction
1610 | ACH transaction cancelled
1622 | ACH transaction rejected
(6 rows)

That's out of a volume of slightly more than 1 million emails per day. Here it is with date added:

count | subject | receiving_date
-------+---------------------------+----------------
10 | ACH transaction cancelled | 2011-02-22
13 | ACH transaction rejected | 2011-02-22
23 | ACH Transfer cancelled | 2011-02-22
18 | ACH Transfer rejected | 2011-02-22
15 | Your ACH transaction | 2011-02-22
11 | Your ACH Transfer | 2011-02-22
1600 | ACH transaction cancelled | 2011-02-23
1609 | ACH transaction rejected | 2011-02-23
1633 | ACH Transfer cancelled | 2011-02-23
1540 | ACH Transfer rejected | 2011-02-23
1583 | Your ACH transaction | 2011-02-23
1609 | Your ACH Transfer | 2011-02-23
(12 rows)

What was extremely interesting about this campaign was the large number of domains it registered to be used in this abuse. Fortunately, these were all "GoDaddy.com" domains and were quickly brought under control to prevent the spread of the malware.

Here are our volume by spammed domain:

count | machine
-------+---------------------------------
26 | AC-CURE-HS.INFO
30 | ACCUREHS.INFO
33 | ACH-ACCOUNTS.INFO
26 | ACHACCOUNTS.INFO
29 | ACHDAUDIO.INFO
29 | ACHDBLOG.INFO
28 | ACHDCAMERA.INFO
25 | ACHDCOMPATIBLE.INFO
26 | ACHDFORMAT.INFO
30 | AC-HD.INFO
30 | ACHDNOW.INFO
26 | ACHDONLINE.INFO
24 | ACHDPHOTO.INFO
36 | ACHDPROGRAMMING.INFO
31 | ACHDRECEIVER.INFO
28 | ACHDRECORDING.INFO
34 | ACHDSHOP.INFO
34 | ACHDSIGNALS.INFO
39 | ACHDS.INFO
26 | ACHDSITE.INFO
27 | ACHDSTORE.INFO
25 | ACHDTODAY.INFO
31 | ACHFACID.INFO
36 | ACHFBANDS.INFO
34 | ACHFBLOG.INFO
45 | ACHFBROADCASTING.INFO
37 | ACHFCONTEST.INFO
27 | ACHFEXPOSURE.INFO
37 | AC-HF.INFO
27 | ACHFMOBILE.INFO
24 | ACHFNOW.INFO
26 | ACHFONLINE.INFO
34 | ACHFRADAR.INFO
25 | ACHFRECEIVER.INFO
22 | ACHFSHOP.INFO
37 | ACHFS.INFO
38 | ACHFSITE.INFO
31 | ACHFSPECTRUM.INFO
30 | ACHFSTORE.INFO
28 | ACHFTODAY.INFO
28 | ACHGBLOG.INFO
47 | ACHGENTERTAINMENT.INFO
35 | AC-HG-EXPOSURE.INFO
40 | ACHGEXPOSURE.INFO
44 | AC-HG.INFO
26 | ACHGMETAL.INFO
33 | ACHGNOW.INFO
27 | ACHGONLINE.INFO
17 | ACHGSHOP.INFO
26 | ACHGS.INFO
29 | ACHGSITE.INFO
27 | ACHGSPOT.INFO
29 | ACHGSTORE.INFO
26 | ACHGTODAY.INFO
26 | AC-HG-VACUUM.INFO
30 | ACHGVACUUM.INFO
27 | AC-HG-WELLS.INFO
31 | ACHGWELLS.INFO
28 | AC-HIGHSCHOOL.INFO
33 | ACHIGHSCHOOL.INFO
25 | ACH-PAYMENT.INFO
28 | ACH-PAYMENTS.INFO
30 | ACHPBLOG.INFO
41 | ACHPCERTIFICATION.INFO
39 | ACHPENTERPRISE.INFO
34 | ACHPHARDWARE.INFO
36 | ACHPIBLOG.INFO
27 | AC-HPI-CARS.INFO
33 | ACHPICARS.INFO
27 | AC-HPI-CHECKS.INFO
30 | ACHPICHECKS.INFO
32 | AC-HPI.INFO
33 | ACHPI.INFO
28 | AC-HP.INFO
26 | ACHPINOW.INFO
33 | ACHPINTEGRITY.INFO
27 | ACHPIONLINE.INFO
21 | AC-HPI-RACING.INFO
30 | ACHPIRACING.INFO
38 | ACHPISHOP.INFO
23 | ACHPIS.INFO
32 | ACHPISITE.INFO
20 | ACHPISTORE.INFO
26 | ACHPITODAY.INFO
30 | ACHPLINUX.INFO
25 | ACHPNOW.INFO
28 | ACHPONLINE.INFO
24 | ACHPPHOTO.INFO
23 | ACHPPRINTER.INFO
35 | ACHPSERVER.INFO
40 | ACHPSERVERS.INFO
40 | ACHPSHOP.INFO
31 | ACHPS.INFO
28 | ACHPSITE.INFO
32 | ACHPSTORE.INFO
34 | ACHPTODAY.INFO
21 | ACHSBLOG.INFO
32 | AC-HS.INFO
33 | ACHSNOW.INFO
35 | ACHSONLINE.INFO
36 | ACHSSHOP.INFO
38 | ACHSSITE.INFO
33 | ACHSSTORE.INFO
33 | ACHSTODAY.INFO
35 | ACHTBLOG.INFO
31 | AC-HT-CONSULTING.INFO
38 | ACHTCONSULTING.INFO
19 | AC-HT-EDITOR.INFO
31 | ACHTEDITOR.INFO
30 | AC-HT-ENTERPRISES.INFO
37 | ACHTENTERPRISES.INFO
31 | AC-HT.INFO
35 | AC-HT-MOBILE.INFO
32 | ACHTMOBILE.INFO
33 | ACHTNOW.INFO
26 | ACHTRANSACTIONBLOG.INFO
35 | ACHTRANSACTIONCODE.INFO
38 | ACH-TRANSACTION.INFO
29 | ACHTRANSACTION.INFO
29 | ACHTRANSACTIONISOLATION.INFO
23 | ACHTRANSACTIONLAYER.INFO
28 | ACHTRANSACTIONLOGIC.INFO
26 | ACHTRANSACTIONMONITORING.INFO
18 | ACHTRANSACTIONNOW.INFO
29 | ACHTRANSACTIONONLINE.INFO
27 | ACH-TRANSACTION-PROCESSING.INFO
32 | ACHTRANSACTIONPROCESSING.INFO
34 | ACH-TRANSACTION-PUBLISHERS.INFO
29 | ACHTRANSACTIONPUBLISHERS.INFO
17 | ACHTRANSACTIONSHOP.INFO
31 | ACH-TRANSACTIONS.INFO
28 | ACHTRANSACTIONS.INFO
29 | ACHTRANSACTIONSITE.INFO
31 | ACHTRANSACTIONSTORE.INFO
29 | ACHTRANSACTIONTODAY.INFO
28 | ACHTRANSFERAGENT.INFO
28 | ACHTRANSFERBLOG.INFO
33 | ACHTRANSFERCREDITS.INFO
26 | ACHTRANSFERFILES.INFO
37 | ACHTRANSFERGUIDE.INFO
31 | ACHTRANSFERGUIDES.INFO
34 | ACH-TRANSFER.INFO
30 | ACHTRANSFER.INFO
30 | ACHTRANSFERNOW.INFO
32 | ACHTRANSFERONLINE.INFO
35 | ACHTRANSFERPRICING.INFO
16 | ACHTRANSFERREQUEST.INFO
33 | ACHTRANSFERSHOP.INFO
32 | ACHTRANSFERS.INFO
35 | ACHTRANSFERSITE.INFO
34 | ACH-TRANSFER-STATION.INFO
31 | ACHTRANSFERSTATION.INFO
30 | ACHTRANSFERSTORE.INFO
29 | ACHTRANSFERTODAY.INFO
25 | ACHTRUSTASSETS.INFO
25 | ACHTRUSTBLOG.INFO
31 | ACHTRUSTCORPORATION.INFO
37 | ACHTRUSTDOCUMENT.INFO
32 | ACH-TRUST.INFO
31 | ACHTRUST.INFO
32 | ACHTRUSTINSTRUMENT.INFO
20 | ACHTRUSTINVESTMENTS.INFO
21 | ACHTRUSTLANDS.INFO
33 | ACHTRUSTNOW.INFO
30 | ACHTRUSTONLINE.INFO
27 | ACHTRUSTSHOP.INFO
23 | ACHTRUSTS.INFO
26 | ACHTRUSTSITE.INFO
26 | ACHTRUSTSTORE.INFO
35 | ACHTRUSTTODAY.INFO
22 | ACH-TRUST-WEBSITE.INFO
34 | ACHTRUSTWEBSITE.INFO
28 | ACHTSHOP.INFO
28 | ACHTS.INFO
38 | ACHTSITE.INFO
34 | ACHTSTORE.INFO
33 | ACHTTODAY.INFO
32 | ACHUBLOG.INFO
30 | AC-HU.INFO
27 | ACHUNOW.INFO
21 | ACHUONLINE.INFO
32 | ACHUSHOP.INFO
40 | ACHUSITE.INFO
32 | ACHUSTORE.INFO
24 | ACHUTODAY.INFO
35 | ACHYBLOG.INFO
28 | ACH-Y-CAMP.INFO
35 | ACHYCAMP.INFO
31 | ACH-Y.INFO
30 | ACHYNOW.INFO
28 | ACHYONLINE.INFO
25 | ACHYSHOP.INFO
31 | ACHYS.INFO
18 | ACHYSITE.INFO
27 | ACHYSTORE.INFO
39 | ACHYTODAY.INFO
29 | ACHZBLOG.INFO
30 | AC-HZ.INFO
26 | ACHZNOW.INFO
35 | ACHZONLINE.INFO
28 | ACHZSHOP.INFO
34 | ACHZS.INFO
33 | ACHZSITE.INFO
22 | ACHZSTORE.INFO
32 | ACHZTODAY.INFO
2 | ACTORTUO.INFO
27 | BASEBALLTRANSACTIONS.INFO
40 | BESTACHD.INFO
22 | BESTACHF.INFO
36 | BESTACHG.INFO
39 | BESTACHPI.INFO
34 | BESTACHP.INFO
29 | BESTACHS.INFO
32 | BESTACHT.INFO
26 | BESTACHTRANSACTION.INFO
37 | BESTACHTRANSFER.INFO
30 | BESTACHTRUST.INFO
29 | BESTACHU.INFO
31 | BESTACHY.INFO
28 | BESTACHZ.INFO
2 | BESTKRUST.INFO
33 | BESTTRANSFERACH.INFO
1 | BETAINFO.INFO
2 | BRENT-TOR.INFO
2 | CALMWEATHER.INFO
2 | CLOTHES-PEG-I.INFO
42 | COLLEGETRANSFERACH.INFO
3 | dfc4.co.cc
4 | dfc5.co.cc
22 | DISTRIBUTEDTRANSACTIONS.INFO
40 | DOMAINTRANSFERACH.INFO
2 | EDUCATIONALTOPIC.INFO
40 | ELECTRONIC-ACH.INFO
31 | ELECTRONICACH.INFO
21 | ELECTRONICACHTRUST.INFO
39 | ELECTRONIC-ACH-Y.INFO
28 | ELECTRONICACHY.INFO
27 | ELECTRONICTRANSACTIONS.INFO
2 | FLOORSURFACE.INFO
35 | FREEACHD.INFO
31 | FREEACHF.INFO
33 | FREEACHG.INFO
29 | FREEACHPI.INFO
37 | FREEACHP.INFO
24 | FREEACHS.INFO
33 | FREEACHT.INFO
27 | FREEACHTRANSACTION.INFO
26 | FREEACHTRANSFER.INFO
28 | FREEACHTRUST.INFO
31 | FREEACHU.INFO
33 | FREEACHY.INFO
31 | FREEACHZ.INFO
33 | FREETRANSFERACH.INFO
2 | FREEULX.INFO
39 | HEAT-TRANSFER-ACH.INFO
45 | HEATTRANSFERACH.INFO
2 | IGLOMINERALS.INFO
1 | INCORRECT-RESULT.INFO
2 | INTERACTIVEROUTE.INFO
1 | JOURNALISSUE.INFO
25 | LEAGUETRANSACTIONS.INFO
3 | LOVES-YOU-LX.INFO
2 | LYNXPOPULATIONS.INFO
2 | MAMBARANKING.INFO
2 | MAMBASCHOLARSHIP.INFO
2 | MB-CARD.INFO
32 | MEMORYTRANSACTIONS.INFO
2 | MERCURYLYNX.INFO
34 | MYACHD.INFO
36 | MYACHF.INFO
28 | MYACHG.INFO
31 | MYACHPI.INFO
22 | MYACHP.INFO
32 | MYACHT.INFO
40 | MYACHTRANSACTION.INFO
41 | MYACHTRANSFER.INFO
37 | MYACHTRUST.INFO
28 | MYACHU.INFO
34 | MYACHY.INFO
30 | MYACHZ.INFO
2 | MYPEGI.INFO
26 | MYTRANSFERACH.INFO
30 | NEWACHD.INFO
37 | NEWACHF.INFO
26 | NEWACHG.INFO
44 | NEWACHPI.INFO
28 | NEWACHP.INFO
31 | NEWACHS.INFO
29 | NEWACHT.INFO
32 | NEWACHTRANSACTION.INFO
27 | NEWACHTRANSFER.INFO
23 | NEWACHTRUST.INFO
26 | NEWACHU.INFO
19 | NEWACHY.INFO
30 | NEWACHZ.INFO
45 | NEWTRANSFERACH.INFO
1 | NEWULX.INFO
2 | NOVA-TU-O.INFO
2 | OTTAWALYNX.INFO
2 | PEGISHOP.INFO
34 | PLAYERTRANSACTIONS.INFO
24 | REPRESENTATIVETRANSACTIONS.INFO
3 | RESPOND-E-PT.INFO
2 | REWARDMILES.INFO
2 | RIMINFO.INFO
2 | ROUGHTOR.INFO
38 | SECUREDTRANSACTIONS.INFO
2 | SLOTESITE.INFO
23 | SPORTS-TRANSACTIONS.INFO
21 | SPORTSTRANSACTIONS.INFO
2 | STAR-TU-O.INFO
2 | STARTUOTICKET.INFO
2 | STEELRIM.INFO
29 | TECHTRANSFERACH.INFO
27 | THEACHD.INFO
37 | THEACHF.INFO
28 | THEACHG.INFO
20 | THEACHPI.INFO
31 | THEACHP.INFO
34 | THEACHS.INFO
30 | THEACHT.INFO
26 | THEACHTRANSACTION.INFO
30 | THEACHTRANSFER.INFO
22 | THEACHTRUST.INFO
27 | THEACHU.INFO
29 | THEACHY.INFO
33 | THEACHZ.INFO
34 | THETRANSFERACH.INFO
2 | TOR-MINERALS.INFO
26 | TRANSACTIONSSHOP.INFO
30 | TRANSACTIONSTODAY.INFO
22 | TRANSFERACHACCOUNTS.INFO
25 | TRANSFERACHBLOG.INFO
32 | TRANSFER-ACH.INFO
36 | TRANSFERACH.INFO
34 | TRANSFERACHNOW.INFO
24 | TRANSFERACHONLINE.INFO
33 | TRANSFERACHPAYMENT.INFO
34 | TRANSFERACHPAYMENTS.INFO
33 | TRANSFERACHSHOP.INFO
27 | TRANSFERACHS.INFO
39 | TRANSFERACHSITE.INFO
34 | TRANSFERACHSTORE.INFO
32 | TRANSFERACHTODAY.INFO
41 | TRANSFERADMISSION.INFO
34 | TRANSFERAPPLICANTS.INFO
35 | TRANSFERGUIDE.INFO
36 | TRANSFERGUIDES.INFO
2 | ULXS.INFO
23 | WEALTHTRANSFERACH.INFO
2 | WIRELESS-COMMUNICATIONS.INFO
2 | YMYSTICK.INFO
2 | YOU-LX.INFO
2 | YUM-RESTAURANTS.INFO
2 | YUMTHAI.INFO
(355 rows)

The last domains we saw spammed were slightly after 7 PM (Central time) on Feb 23rd:

NEWACHTRANSFER.INFO
FREEACHY.INFO
ACHUSTORE.INFO
NEWTRANSFERACH.INFO
ACHGNOW.INFO
TRANSFERADMISSION.INFO
ACHPBLOG.INFO
MYACHTRUST.INFO
ACHYS.INFO
THEACHPI.INFO
ACHPSTORE.INFO

all came in between 7 PM and 7:15 PM into the UAB Spam Data Mine.

If you've read some of our Technical Reports then you know that UAB has a unique capability to build "Spam Clusters" of messages related on many different factors. One of our fairly standard checks is to ask "what other spam is coming from the machines that sent us this spam?"

In this case, the answer was NOTHING.

It was as if every single machine that sent this spam message had been uniquely compromised for the sole purpose of sending us this email. Out of 9,610 sending IP addresses, only TWO of them had been seen previously sending spam to the UAB Spam Data Mine. Two Viagra ad from 196.22.14.4 on February 18th and 19th and a set of seven Viagra ads from 112.135.85.114 on February 8th and 9th. The other 9,608 sending IP addresses had not sent us any spam, at least in the past month. That's so unusual that it is actually impossible. There are so many bot-infected computers that randomly selecting any 9,000 internet-connected computers, there is NO CHANCE that none of them sent me spam.

It turns out the spam messages had "dubious header records" inserted.

To explore this deeper, I looked at the headers of 92 email messages I had personally received in this campaign (as opposed to the UAB Spam Data Mine receiving them -- the smaller data set is easier to manipulate for manual or quick scripting review.)

It turned out that the 92 emails, which at first seemed to come from 92 different IPs, actually came from 14 machines, with the most popular ones being:

Received: from static.vdc.vn [113.160.224.168]
Received: from triband-mum-59.184.120.21.mtnl.net.in [59.184.120.21]
Received: from 95.subnet125-164-81.speedy.telkom.net.id [125.164.81.95]

All well known spammer IPs (click links to see their "Project Honeypot" reputations).

While digging deeper, it seems that each of the spam messages was sent while authenticated into gmail. As a quick spot check, I examined the 92 email messages that I received in my personal accounts. Out of the 92, 92 of them had an "envelope-from" and a matching "Return-Path:" statement showing a gmail account that had been used to send the spam message:

(envelope-from abominatingr@gmail.com)
(envelope-from adjournt5@gmail.com)
(envelope-from alwaysw7@gmail.com)
(envelope-from anaestheticsnz556@gmail.com)
(envelope-from analog@gmail.com)
(envelope-from anthropologyi9@gmail.com)
(envelope-from bagateller67@gmail.com)
(envelope-from bawlct1@gmail.com)
(envelope-from beachcombersbdu88@gmail.com)
(envelope-from becomingly001@gmail.com)
(envelope-from belligerency028@gmail.com)
(envelope-from biweekliesqa38@gmail.com)
(envelope-from butteriesldn@gmail.com)
(envelope-from costs@gmail.com)
(envelope-from dependenceq@gmail.com)
(envelope-from dhakatx223@gmail.com)
(envelope-from dismounts05@gmail.com)
(envelope-from distinguishedxe4@gmail.com)
(envelope-from dogwoodui449@gmail.com)
(envelope-from dryadd@gmail.com)
(envelope-from earthworkssmu44@gmail.com)
(envelope-from episodesmf3@gmail.com)
(envelope-from epistolarieskud474@gmail.com)
(envelope-from excusingo6049@gmail.com)
(envelope-from foxtrotteds@gmail.com)
(envelope-from guyinghr6@gmail.com)
(envelope-from hairiestrwv95@gmail.com)
(envelope-from heartbreako0@gmail.com)
(envelope-from helpedcf201@gmail.com)
(envelope-from hotelierpv186@gmail.com)
(envelope-from importunitymn2@gmail.com)
(envelope-from indefinites@gmail.com)
(envelope-from indispensably950@gmail.com)
(envelope-from irishwoman0463@gmail.com)
(envelope-from islander18@gmail.com)
(envelope-from kinkedhby9@gmail.com)
(envelope-from knottiestn@gmail.com)
(envelope-from kropotkinci@gmail.com)
(envelope-from litanies0@gmail.com)
(envelope-from locomotivezq84@gmail.com)
(envelope-from lugsfo@gmail.com)
(envelope-from manfullym7@gmail.com)
(envelope-from matzoshl229@gmail.com)
(envelope-from memorizingxf7@gmail.com)
(envelope-from micronsv1@gmail.com)
(envelope-from mines2@gmail.com)
(envelope-from morerkc896@gmail.com)
(envelope-from murkierp9@gmail.com)
(envelope-from northwesterlyl4@gmail.com)
(envelope-from orbiting4@gmail.com)
(envelope-from organsgqz3@gmail.com)
(envelope-from painfullerujt3@gmail.com)
(envelope-from paltryr63@gmail.com)
(envelope-from phwpa1@gmail.com)
(envelope-from pincushionsl206@gmail.com)
(envelope-from polyglotsxn51@gmail.com)
(envelope-from prohibitorys49@gmail.com)
(envelope-from queenslandpu9@gmail.com)
(envelope-from refracting05@gmail.com)
(envelope-from repaymentsrdr@gmail.com)
(envelope-from rerouteso6@gmail.com)
(envelope-from reselljucd@gmail.com)
(envelope-from rhinestoneo@gmail.com)
(envelope-from ricksjn@gmail.com)
(envelope-from ridgepolem843@gmail.com)
(envelope-from sandieruj@gmail.com)
(envelope-from scabbedl6@gmail.com)
(envelope-from septuagenarians8917@gmail.com)
(envelope-from siberiat1@gmail.com)
(envelope-from slumberad148@gmail.com)
(envelope-from soldieringr7065@gmail.com)
(envelope-from solemnizedo36@gmail.com)
(envelope-from soliloquizese3@gmail.com)
(envelope-from southernersh477@gmail.com)
(envelope-from speedilyby98@gmail.com)
(envelope-from spokes356@gmail.com)
(envelope-from subsidiaryuzxs5@gmail.com)
(envelope-from surmountableoa062@gmail.com)
(envelope-from ternsz27@gmail.com)
(envelope-from thingslq@gmail.com)
(envelope-from totalitiest2@gmail.com)
(envelope-from tuberous37@gmail.com)
(envelope-from ufab3@gmail.com)
(envelope-from undergo@gmail.com)
(envelope-from undertakenf5@gmail.com)
(envelope-from undyingp8344@gmail.com)
(envelope-from unquestionablyww4@gmail.com)
(envelope-from untestedslq4201@gmail.com)
(envelope-from vegemitebe042@gmail.com)
(envelope-from victoriouswyt3@gmail.com)
(envelope-from warmheartedw4@gmail.com)
(envelope-from writhe78@gmail.com)

No comments:

Post a Comment

Turning comments back on. I will censor, so please be polite! If you would like to share information privately, please leave a "Contact Me" post and I will reach out. Thank you!