By Andrew Brandt
Coming on the heels of similar fraud schemes that targeted victims using the names of such familiar institutions as the FDIC, IRS, and HMRC, scammers are trying to get people to infect their own computer using a different organization’s name—one that is probably unfamiliar to most people. NACHA is a not-for-profit association that “oversees the Automated Clearing House (ACH) Network, a safe, efficient, green, and high-quality payment system.” In other words, they write the rules for the organizations that run the pipes through which money flows between banks and businesses–the circulatory system of the financial world.
In fact, more than 15,000 banks passed 18 billion electronic transactions through the ACH in 2008 alone. ACH is a linchpin in the world’s financial system. But as a rule-making body, NACHA also typically acts behind the scenes, which is why most people who don’t work in the financial services industry probably have never heard of them.
That said, when the world’s largest clearinghouse for transfers of funds between banks supposedly sends you an email like this one, you probably would perk up and pay attention:
The email’s dire warning: “The ACH transaction, recently initiated from your bank account, was rejected by the Electronic Payments Association.”
But it’s a scam, as you probably already guessed.
The intended reaction: The victims panic, click the link, and are sucked into the scam. Please don’t let this happen to you.
Like the scams that employ the names of the IRS, HMRC, and FDIC — and related scams featuring Facebook and MySpace “update” utilities — The NACHA phishing scheme is a coordinated attack, beginning with a spam message with an embedded link that leads victims to one of dozens of websites hosting a phishing Trojan, designed to look like NACHA’s corporate website.
The page, headed “Unauthorized ACH Transaction Report” implores you to download a file that allegedly details the nature of this “transaction” but — if you’re a regular reader of the blog, you can guess what happens next. The Trojan-Backdoor-Zbot phishing Trojan, once installed, is a keen thief of login credentials.
At the same time, the scammers are continuing to drive the hackneyed, mirror-image IRS fraud on bald tires, but the latest iteration of this scam includes a new twist: Once you’ve downloaded the tax-themed Zbot installer, the fake IRS download page redirects you through a series of drive-by Web sites that, eventually, attempt to push an infection we call Worm-Echo onto the victim’s computer.
Users of our product can easily remove both Zbot and Worm-Echo from an infected computer, but in the end, isn’t it better not to become a victim in the first place? It looks like cybercriminals are trying to make this a banner holiday season for phishing scams. But if you remain vigilant and treat unexpected email from unfamiliar entities, that supposedly alerts you to financial transactions, with suspicion, you can easily avoid dirty tricks like this one.