Online fraudsters use spam campaign to target payment transfer system

Messages warn of an ACH transfer problem and try to get users to install the Zeus malware

A new spam campaign is targeting a financial transfer system that handles trillions of dollars in transactions annually and has proved to be a fertile target of late for online fraudsters.

The spam messages pretend to come from the National Automated Clearing House Association (NACHA), a U.S. nonprofit association that oversees the Automated Clearing House system (ACH).

[ Learn how to secure your systems with Roger Grimes' Security Adviser blog and Security Central newsletter, both from InfoWorld. ]

ACH is a widely used but aging system used by financial institutions for exchanging details of direct deposits, checks and cash transfers made by businesses and individuals. In 2002, ACH was used for nearly 9 billion [b] transactions worth more than US$24.4 trillion.

Over the last few months, many businesses have lost money through ACH fraud, primarily when fraudsters obtain the authentication credentials required to transfer money. In many cases, significant portions of the fraudulent transfers are never recovered, and businesses are on the hook with their bank.

NACHA has no direct involvement in the processing of the payments, but spammers have nonetheless launched a spam campaign with messages purporting to be from the organization saying that an ACH payment has been rejected.

The spam messages have a link to a fake Web site that looks like NACHA's. The site asks the victim to download a PDF (portable document format) file, but it is actually an executable.

If launched, the executable will install Zbot, also known as Zeus, an advanced piece of banking malware that can harvest the authentication details required to initiate an ACH transaction, according to M86 Security. The spam campaign is coming from the Pushdo botnet, M86 said on its blog.

NACHA has put an advisory on its Web site, warning: "NACHA does not send communications to individuals or organizations about individual ACH transactions that they originate or receive."

There are a number of versions of the Zeus malware, which is periodically re-engineered in order to evade detection by antivirus software. As of Thursday, the version of Zeus being spammed was only detected by 16 of 41 antivirus suites, wrote Gary Warner, director of research in computer forensics at the University of Alabama's computer and information sciences department.

Antivirus software is the first line of defense against malware like Zeus. However, malware writers can modify the file in order to make it undetectable for a while until the security companies see a sample and create a signature for it. It may take a few days before different security suites can detect it. By that time, the money may be gone.