Fraudulent messages from Electronic Payments Association NACHA

Websense® ThreatSeeker® Network has been tracking a large number of messages masquerading as legitimate messages from the Electronic Payment Association NACHA.

The messages bear legitimate traits, as the display name and routing details seem to confirm.  Further analysis of the message and attachments prove these to be malicious in intent.  The examples below show what these messages look like, and an unsuspecting member or patron of the service might just fall for this.

The example below is a variant that we have been aware of, and have been tracking for a while now.  The use of a double extension on a file name as well as the exact format of the message, including the Subject, attests to the reuse of the campaign.

Example of a variant noticed earlier: 

 Digging a little deeper for the header Information, we find this: 

Although this might seem to have come from NACHA, the routing details suggest otherwise as they do not originate from the publicly-known MX records for the organization. 

At the time of analysis, VirusTotal results still had not hit 50%, and a mixed bag of detection shows that not all the major AV engines have detected this either.  Websense Email Security and Websense Web Security protect against these kinds of blended threats with ACE, our Advanced Classification Engine.