Phishing Scheme Targets E-Payment Rule-Maker, NACHA

By Andrew Brandt

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

20091112_nacha_logoComing on the heels of similar fraud schemes that targeted victims using the names of such familiar institutions as the FDIC, IRS, and HMRC, scammers are trying to get people to infect their own computer using a different organization’s name—one that is probably unfamiliar to most people. NACHA is a not-for-profit association that “oversees the Automated Clearing House (ACH) Network, a safe, efficient, green, and high-quality payment system.” In other words, they write the rules for the organizations that run the pipes through which money flows between banks and businesses–the circulatory system of the financial world.

In fact, more than 15,000 banks passed 18 billion electronic transactions through the ACH in 2008 alone. ACH is a linchpin in the world’s financial system. But as a rule-making body, NACHA also typically acts behind the scenes, which is why most people who don’t work in the financial services industry probably have never heard of them.

That said, when the world’s largest clearinghouse for transfers of funds between banks supposedly sends you an email like this one, you probably would perk up and pay attention:


The email’s dire warning: “The ACH transaction, recently initiated from your bank account, was rejected by the Electronic Payments Association.”

But it’s a scam, as you probably already guessed.

The intended reaction: The victims panic, click the link, and are sucked into the scam. Please don’t let this happen to you.

Like the scams that employ the names of the IRS, HMRC, and FDIC — and related scams featuring Facebook and MySpace “update” utilities — The NACHA phishing scheme is a coordinated attack, beginning with a spam message with an embedded link that leads victims to one of dozens of websites hosting a phishing Trojan, designed to look like NACHA’s corporate website.


The page, headed “Unauthorized ACH Transaction Report” implores you to download a file that allegedly details the nature of this “transaction” but — if you’re a regular reader of the blog, you can guess what happens next. The Trojan-Backdoor-Zbot phishing Trojan, once installed, is a keen thief of login credentials.


At the same time, the scammers are continuing to drive the hackneyed, mirror-image IRS fraud on bald tires, but the latest iteration of this scam includes a new twist: Once you’ve downloaded the tax-themed Zbot installer, the fake IRS download page redirects you through a series of drive-by Web sites that, eventually, attempt to push an infection we call Worm-Echo onto the victim’s computer.

Users of our product can easily remove both Zbot and Worm-Echo from an infected computer, but in the end, isn’t it better not to become a victim in the first place? It looks like cybercriminals are trying to make this a banner holiday season for phishing scams. But if you remain vigilant and treat unexpected email from unfamiliar entities, that supposedly alerts you to financial transactions, with suspicion, you can easily avoid dirty tricks like this one.

wordpress blog stats

11 thoughts on “Phishing Scheme Targets E-Payment Rule-Maker, NACHA

  1. Pingback: Fake Zbot Site Poses as H1N1 Flu Vaccine Info « Webroot Threat Blog

  2. Pingback: Fake Zbot Site Poses As CDC H1N1 Flu Vaccine Info | Business Computing World

  3. Pingback: A Look Back at the Worst Infections of 2009 « Webroot Threat Blog

  4. Pingback: A Look Back At The Worst Infections Of 2009 | Business Computing World

  5. Pingback: Zbot Desperately Seeking AIM Users « Webroot Threat Blog

  6. Pingback: Zbot Fakes ABA Banking Site, Seeks a Stimulus Package « Webroot Threat Blog

  7. Pingback: 8 Tips for Filing Taxes Online Safely « Webroot Threat Blog

  8. Pingback: Keylogger Poses as Document from Spain’s Central Bank « Webroot Threat Blog

  9. Pingback: Tips to Avoid Tax Season Scams « Webroot Threat Blog

  10. Pingback: Thanks for Lazy, Repetitive Malware Scams, Mal-Slackers « Solera Networks | Threat Research Blog

Join the Conversation

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s