Links
NACHA Phishing Email
GSA Reference Number: AD091112-01
Simply Put: A fraudulent email is currently circulating that appears to be from NACHA, the Electronics Payment Association. The email includes a link that will forward users to a fake website that instructs the user to download a report about a failed ACH transaction. This report is actually malicious software (Zeus/Jabber). We have already detected infections at several financial institutions as a result of this scam.
Attack Details: The email appears to be from “report@nacha.org” and the subject of the email states “Rejected ACH Transaction.” The email also includes a link to a fake, unauthorized transaction report. When the link is clicked, the user is forwarded to a page similar to the NACHA website. The report referenced on this page is actually the Zeus/Jabber trojan. This trojan is considered “crimeware” and will attempt to steal website credentials. More information on the trojan can be found here.
Countermeasures: Users will need to be notified of the email immediately and informed to delete the email. Any currently infected machines will need to be removed from the network and the necessary incident response measures enacted. Gladiator is adding recognition patterns to our eShield email service to deny emails matching the current phishing scheme and will continue to block sites at the firewall if they are found to be hosting this scam.
Reference Links:
- NACHA homepage (with advisory) (http://www.nacha.org/)
- Zeus FAQ (https://zeustracker.abuse.ch/faq.php)