Malicious Emails with Subject “ACH Payment xxxxx Canceled”

Have you received an email with an “ACH Payment xxxxx Canceled” subject line?  Please don’t open the link in the email, as it will take you to a malicious URL.

Websense® ThreatSeeker® Network has detected that an email campaign broke out on 27th September, 2011. In this campaign,  all the emails had the subject line “ACH Payment xxxxxx Canceled”, where xxxxx is a random number generated by spamers. Every email in this campaign links to the same URL. After clicking the link, victims are led to various malicous URLs, via redirection. Finally, trojan files are downloaded without notifying the user. Websense customers will not be affected by this campaign, as Websense® ThreatSeeker® already detects and blocks this attack. 

The previous method of attaching a zip file could be easily detected on the fly in a very short period. However, this time, an embeded forged link is used, as in the example below:

We can see the two URLs are different, and the URL in the example above is a malicious URL. We can use  Websense® ThreatSeeker® to analyze its payload:

Now we can see there is an iframe in its payload -  this will redirect you to another malicious URL. That malicious URL hosts the blackhole exploit kit (one of the most widely used exploit kits). It will download a Zbot file, which has been confirmed by VirusTotal.

As of now, we have received more than 200,000 messages in this campaign. We will continue to monitor this campaign.

Websense® ThreatSeeker® has also detected the following similar URLs: 

Websense Email Security and Websense Web Security protect against this kind of blended threat with ACE, our Advanced Classification Engine.