In this campaign, which we first wrote about in November 2009 (see: Newest Zeus: NACHA Electronic Payments, the criminals send emails suggesting that an Automated Clearing House (ACH) payment has failed. It is thought that this may be a method of screening recipients as only people who deal with money transfer on a regular basis would be familiar with NACHA as having authority over ACH payments.
In more recent versions of the campaign, including the one we wrote about in March 2011 (see: More ACH Spam from NACHA) we have seen dozens or even hundreds of newly created domain names used to host the malicious content.
Here's a sample of the email body:
The ACH transfer (ID: 1514969569958), recently initiated from your checking account (by you or any other person), was canceled by the Electronic Payments Association.
Rejected transaction
Transaction ID: 1514969569958
Reason for rejection See details in the report below
Transaction Report report_1514969569958.pdf.exe (self-extracting archive, Adobe PDF)
13450 Sunrise Valley Drive, Suite 100 Herndon, VA 20171 (703) 561-1100
2011 NACHA - The Electronic Payments Association
This morning's most popular subjects:
count | subject
-------+--------------------------
159 | ACH payment canceled
144 | ACH transfer rejected
143 | ACH payment rejected
143 | Rejected ACH payment
137 | Rejected ACH transaction
137 | ACH Transfer canceled
135 | Rejected ACH transfer
131 | Your ACH transfer
131 | ACH transaction canceled
130 | Your ACH transaction
(10 rows)
count | sender_email
-------+-------------
135 | risk@nacha.org
134 | alerts@nacha.org
134 | risk_manager@nacha.org
133 | alert@nacha.org
133 | admin@nacha.org
129 | transactions@nacha.org
124 | ach@nacha.org
122 | payment@nacha.org
120 | transfers@nacha.org
117 | payments@nacha.org
109 | info@nacha.org
(11 rows)
The "new" feature of today's spam campaign is that the criminals have begun using URL shortening services to do their redirection. Although this is new for the current campaign, we've seen it before. We wrote a technical report on the subject last fall called URL Shorteners Used by Online Drug Dealers.
So far this morning, we've observed 34 different URL shortening services in play on this campaign:
count | machine
-------+-----------------
116 | 2mb.eu
93 | p1nk.me
92 | 80p.eu
92 | mzan.si
90 | linkr.fr
88 | redir.ec
84 | 2.gp
80 | udanax.org
79 | ks.gs
71 | whir.li
71 | qr.net
70 | TinyBP.com
68 | spedr.com
68 | urlzip.fr
66 | tiny.ly
60 | shortn.me
48 | mx.vc
16 | urli.nl
11 | snipurl.com
6 | shrt.st
3 | gd.is
3 | virg10.com
2 | rurls.ru
2 | zipurl.fr
2 | lu2su.net
1 | nutshellurl.com
1 | surl.hu
1 | icy.tsd.to
1 | squeerl.net
1 | 3cm.kz
1 | tuit.in
1 | tqb.qlnk.net
1 | mi13.tk
1 | minu.me
(34 rows)
Some of these are
A full list of the more than 1,000 shortened URLs we've seen follows. Remember, these are MALICIOUS URLs. Don't go there if you aren't trained to deal with this kind of stuff.
count | machine | path
-------+-----------------+--------------
5 | spedr.com | /4y7SQSmS
5 | redir.ec | /tYvk
4 | snipurl.com | /27vmxz
4 | redir.ec | /EcPZ
4 | TinyBP.com | /15kcx
4 | 2mb.eu | /TUQBY8
4 | udanax.org | /ZPLf
3 | 2mb.eu | /W8Li1F
3 | mzan.si | /GwQm
3 | qr.net | /b4e0
3 | linkr.fr | /rLao
3 | tiny.ly | /dPnJ
3 | TinyBP.com | /53wi
3 | whir.li | /3z7g
3 | spedr.com | /G9mJzD3W
3 | 2mb.eu | /T2mMP3
3 | linkr.fr | /Jw7M
3 | udanax.org | /ZP0F
3 | urlzip.fr | /W0T
3 | 80p.eu | /ip
3 | virg10.com | /6t6
3 | qr.net | /b4ev
3 | 2mb.eu | /fKVGJX
3 | mzan.si | /N56x
3 | shortn.me | /igWl
...
(1080 rows)
(List truncated in interest of space -- for the full list of shortened URLs, click here: ACH.shortened.urls.txt.)
While we haven't followed every link, all that we have followed so far redirected to a fake forum page on mnuyspe.co.be (193.105.121.158) where "drive-by" exploits are attempted.