If you have an email address in the United States, either you or your spam filter is certainly familiar with this spam by now:
The spam with the subjects "ACH Payment (random numbers) Canceled" intends to imitate the National Automated Clearing House Association. NACHA is the organization that banks use to handle the electronic transfer of funds between domestic banks for things such as "Direct Deposit" or electronic bill paying.
The spam's message "The ACH transaction recently initiated from your checking acount was canceled by the other financial institution" is intended to elicit a panic response to get the recipient to click on the link in the email.
The problem has been getting worse because of two "upgrades" by the spammers.
First - they are using "drive-by" infectors, in the form of the BlackHole Exploit Kit. In the past a spam message such as this would have relied on trying to get you to download an '.exe' file and trick you into running it on your computer. Now, simply visiting the website will often be enough to infect your machine.
The second improvement, which comes and goes in waves, is that the criminals have compromised many "intermediary" web hosts to use in their spam. If the spammer were sending you to "mybadsite.com" your security software would quickly learn that "mybadsite.com" is a potentially harmful destination and block you from visiting.
To make sure their spam is delivered, the spammers have stolen the credentials from many website owners and have used these credentials to add one tiny file to their existing legitimate website. So, as a randomly chosen example, the spam link that claims to point to "nacha.org" may actually point to a page at "iscsconferencerecording.com". That page belongs to the International Society of Communication Specialists, so it probably has a "positive" reputation among security companies, who may be loathe to block the site.
What happens when we visit that page?
The only contents on the page "am2wdh.html" are calls to two Javascript files on other websites. In this case:
www.xmjhx.com /czc /js.js
and
vscreative.com /images /js.js
The first time I loaded this, it caused a document location to be set to "www.nachaemployee.com"
A rerun of the same site pointed me instead to a blackhole exploit kit page at:
milloworks.com /main.php? page=890639ab2b6c1ab8
Which caused me to fetch:
milloworks.com /w.php ?f=70&e=4
This caused me to download the file:
www.vncoach.com /editors /nachareport20111910.pdf.exe
Another attempt sent me to:
tgqswpqqh.org.in from which we attempt to load the Blackhole Exploit page from
This drops a number of files on our computer, including Flash exploits, PDF exploits, and an EXE called "FIX_KB112755.exe" which gets downloaded from the IP address 213.123.52.133. FIX_KB111088.exe and FIX_KB113547.exe were also downloaded from there.
After the malware drops on the computer, we are forwarded through "dating-portal.net" where the affiliate engine sends us to an "Adult Friend Finder" sign-up website.
The point of this story, however, is not really what malware gets dropped, but the use of so many hacked intermediary servers to do the dropping.
In the first twelve hours of October 19, 2011, we saw 184 different websites used in this type of attack with an ACH spam subject line. In order of occurrence, with the first observed URL each, here is what we've seen today:
HOSTNAME PATH
================================ ===================================
preseis.com /7x1tyg6.html
server.softhost.org /
silverfruit.com.ec /t2jr.html
newsletter.stable-jo.com /t43z.html
www.Shoubra-prep.com /4x8l.html
marcinjarzabek.cp5.win.pl /16ih2.html
professionalroofing.co.uk /ph4xn5.html
host272.hostmonster.com /~fdflockc/6xh9l1e.html
sethsauction.com /6gh1u7.html
www.corazondejesus.net /4cpjx.html
murciaopina.com /tq3e.html
www.digitalhomna.com /
latinholdings.com.mx /4ghy.html
108cms.com /3n7s.html
way2tutorial.com /g02lwbp.html
nimbuscertifications.com /4qt4.html
ultimateselena.org /0tpno.html
www.efficientorganizationnw.com /rk1pb.html
trinity-work-shop.test-rackspeed.de /
hosting31.serverhs.org /~ecommerc/zu9iah7.html
www.todotaringa.com /0pya.html
stremyfoot.com /q37hdi.html
www.ganarlaprimitiva.com /g5knqjr.html
manaiz.com /a2w7q.html
caspsurveys.org /zmu2.html
www.ironsidegroup.pk /kq6bz.html
temporary-toilets.com /mczkg.html
0342962.netsolhost.com /716txi.html
babilhotel.com /5bf0html
customcakesnw.com /not8.html
tomralph.net /vsz8c.html
www.panelpeople.com /1060.html
goldencrownhotel.com /zf9w3uh.html
www.launas.fr /jjssgx4.html
dev.crm-warehouse.be /uclt4.html
alassite.com /2hyl0.html
02be375.netsolhost.com /6mu1v.html
evo2inc.com /o3wyn.html
campossaab.net /g1hrhtml
inzanepix.com /19v4sx.html
specialrental.com /p5y6.html
iscsconferencerecording.com /am2wdh.html
www.murciaopina.com /rt5dmy.html
buynanoclean.com /3c6tp7.html
froda.com /5kbnak.html
globaliellc.com /1o36z.html
mslbx.com /~servatus/soexlyy.html
indexpoker.com /
diversco.com /6fxo.html
www.acclaimcabinetscom.au /7xoslgn.html
mvlmobile.in /d34c.html
weightlosspersonaltrainerconsulting.com /1decnf9.html
vandieautomatisering.nl /linhe.html
intestinoirritable.ws /e66uc.html
fmwwrestling.us /gsld0d.html
abeauty.com.au /
sokullupasahotel.com /fvn4upi.html
ants.net.au /yxe4ma.html
lkco.in /a8l876j.html
static-64-184-73-69nocdirect.com /~afroland/eh8jvre.html
damarchesi.it /6m2rdlx.html
trinity-work-shop.de /5t5ub.html
mycountylink.com /f6atze.html
artigianatopasella.com /9ghy.html
ohtobeyoungagain.com /t4cj.html
syedaliahmad.com /3mlnfh.html
www.geelongeisteddfod.com.au /13pspj.html
www.tommysparger.com /ci87qyp.html
nt-ves.ac.th /
diipbmis.nl /l374dcthtml
bakulpharma.com /
etno-plants.ro /
professionalroofingco.uk /vmba.html
altiaproducts.com /29f4.html
dezoetezaak.nl /anxl5.html
ozurfa.com.tr /ras5.html
lexxstore.de /7nsenqhtml
meirmodiin.org /~meirm/kk22.html
siflindia.com /27swn2.html
grapediscounts.com /fjlj9k.html
fastincomebiz.com /hsd6g7b.html
thebeadrotisserie.com /vel42.html
46.23.64.241 /~jamias/lc50sf.html
fastincomesystem.biz /u8g4tn.html
surebg.co.za /xltlgs.html
110.4.42.93 /bx94l.html
www.resourceelementlimited.com /
graph2profit.com /utxfc.html
shriganpatiproduction.net /r05qv4h.html
micrene.com /ivowl1rhtml
pdscientific.com /tl1s.html
www.wanithai.com /u7pv30b.html
ads-protection.com /fs3lax.html
sl3-vgt.vgthosting.com /~worknetw/fj2bvn.html
fb.servatusdev.com /~servdev/56iy2.html
hedy-lamarr.org /n2tgsb.html
niritech.com /pxkf.html
212.68.54.148 /~radyoruz/qsdsw9m.html
www.pushtiieshakti.com /783i.html
empiresallies-secrets.com /k0bayr.html
tarjetaspilos.com /9tvd.html
voongo.com /asfti1/index.html
searchtroop.net /04sh.html
altagallura.it /bd5jhtml
gran-mar.com.ar /4p6sbu7.html
fullart.com.pe /3c55egr.html
sanianishtar.info /7o2dd.html
umtelecom.com /h10krhtml
reformasyreparaciones.com /76kdp.html
206.217.196.47 /~dumpsche/kes773.html
acumenauditors.com.au /vfa9.html
www.rippt.com /t8859u.html
trunghieu.com /hsx1n3r.html
delallosa.com /mtgy99y.html
lainformacion.us /snkk1.html
refritermo.com /j9ps4y.html
www.grahajodoh.com /bqe6zk.html
etakip.com /yg4jl9.html
carifind.com /t718xhhtml
jpvarleyllc.com /kna4wx.html
www.shatteredhope.gr /lnsp.html
autoblog.fastincomesystem.biz /~cheers/gyjde.html
reformhaus-mehnert.de /2vn9yr5.html
indianbookshop.co.in /5b9fgs.html
host272.hostmonstercom /~fdflockc/6xh9l1e.html
enbramex.com /mpvsgi2.html
onlinesurat.com /mb2d.html
surrealtopia.com /hmsuu.html
el-salto-fishing.com /agg0noo.html
simplefact.mx /xln290.html
bofco.in /htrc.html
iznillahcng.com /y5le.html
static-64-184-73-69.nocdirect.com /~afroland/eh8jvre.html
vizonix.com /c1ptwqs/index.html
visionciudadconsultores.com /dwqopc/index.html
winsbyinc.com /0sm9j5/index.html
www.tradehalls.com /8eeh2.html
4income-solutions.com /93e3x.html
locanda-stazzo-bona.com /
jade.nseasy.com /~manishar/7xl9bd.html
GUHDNS.COM /md8g.html
livedata.it /ssao.html
www.manojengg.com /scv2.html
sexshop.com.tr /3igtv8.html
perfumeylenceria.com /joiwku.html
server10.namecheaphosting.com /
freunde-klinik-ottobeuren.de /oryh1.html
floristeriasdecoaromascostarica.com /kh31.html
portalinternational.us /5ecf2z.html
molinas.eu /nz4ot.html
clubfirst.org /2ba0jra.html
thepentad.com /eg3eje/index.html
www.dsmodular.com /qt21ta.html
hotelmarinepalace.com /0493.html
teresita.com.mx /hcrji4t.html
198.63.48.81 /z116c.html
punjnud.com /3sllgkihtml
inkostudio.com /y0ao0c.html
tuncakyavas.com /jfifrpb.html
hkf.huber-babenhausen.de /xyy4dg3.html
watson.timeweb.ru /~kostos/7euyd25.html
vscreative.com /x882.html
lemilano.fr /
labeltula.it /e51rsq.html
www.acclaimcabinets.com.au /
shelterpropertydealers.com /97qf.html
dotmile.com /cvpa4jj.html
www.clubbayard.com /w6kzi.html
myauto.co.nz /odmz0chtml
whydodogs.org /jdab40.html
bigrace2012.com /3ri1vt.html
www.launas-hebergement.com /fj9p1.html
www.neoplastic.gr /0qedzw.html
ittefaqpipe.com /2inp.html
efficientorganizationnw.com /ix84c.html
indosyslife.com /cdwwto.html
newmonicaarts.org /
avicarusa.com /uyxasjr.html
atlantidesardegna.it /61fyvx.html
baratrucks.com /n6j5m.html
heromw.com /602ka.html
web3.biz /4jdsydk.html
eqsync.com /bx5wfm.html
weblinksubmissions.com /1bgypq/index.html
The spam with the subjects "ACH Payment (random numbers) Canceled" intends to imitate the National Automated Clearing House Association. NACHA is the organization that banks use to handle the electronic transfer of funds between domestic banks for things such as "Direct Deposit" or electronic bill paying.
The spam's message "The ACH transaction recently initiated from your checking acount was canceled by the other financial institution" is intended to elicit a panic response to get the recipient to click on the link in the email.
The problem has been getting worse because of two "upgrades" by the spammers.
First - they are using "drive-by" infectors, in the form of the BlackHole Exploit Kit. In the past a spam message such as this would have relied on trying to get you to download an '.exe' file and trick you into running it on your computer. Now, simply visiting the website will often be enough to infect your machine.
The second improvement, which comes and goes in waves, is that the criminals have compromised many "intermediary" web hosts to use in their spam. If the spammer were sending you to "mybadsite.com" your security software would quickly learn that "mybadsite.com" is a potentially harmful destination and block you from visiting.
To make sure their spam is delivered, the spammers have stolen the credentials from many website owners and have used these credentials to add one tiny file to their existing legitimate website. So, as a randomly chosen example, the spam link that claims to point to "nacha.org" may actually point to a page at "iscsconferencerecording.com". That page belongs to the International Society of Communication Specialists, so it probably has a "positive" reputation among security companies, who may be loathe to block the site.
What happens when we visit that page?
The only contents on the page "am2wdh.html" are calls to two Javascript files on other websites. In this case:
www.xmjhx.com /czc /js.js
and
vscreative.com /images /js.js
The first time I loaded this, it caused a document location to be set to "www.nachaemployee.com"
A rerun of the same site pointed me instead to a blackhole exploit kit page at:
milloworks.com /main.php? page=890639ab2b6c1ab8
Which caused me to fetch:
milloworks.com /w.php ?f=70&e=4
This caused me to download the file:
www.vncoach.com /editors /nachareport20111910.pdf.exe
Another attempt sent me to:
tgqswpqqh.org.in from which we attempt to load the Blackhole Exploit page from
This drops a number of files on our computer, including Flash exploits, PDF exploits, and an EXE called "FIX_KB112755.exe" which gets downloaded from the IP address 213.123.52.133. FIX_KB111088.exe and FIX_KB113547.exe were also downloaded from there.
After the malware drops on the computer, we are forwarded through "dating-portal.net" where the affiliate engine sends us to an "Adult Friend Finder" sign-up website.
The point of this story, however, is not really what malware gets dropped, but the use of so many hacked intermediary servers to do the dropping.
In the first twelve hours of October 19, 2011, we saw 184 different websites used in this type of attack with an ACH spam subject line. In order of occurrence, with the first observed URL each, here is what we've seen today:
HOSTNAME PATH
================================ ===================================
preseis.com /7x1tyg6.html
server.softhost.org /
silverfruit.com.ec /t2jr.html
newsletter.stable-jo.com /t43z.html
www.Shoubra-prep.com /4x8l.html
marcinjarzabek.cp5.win.pl /16ih2.html
professionalroofing.co.uk /ph4xn5.html
host272.hostmonster.com /~fdflockc/6xh9l1e.html
sethsauction.com /6gh1u7.html
www.corazondejesus.net /4cpjx.html
murciaopina.com /tq3e.html
www.digitalhomna.com /
latinholdings.com.mx /4ghy.html
108cms.com /3n7s.html
way2tutorial.com /g02lwbp.html
nimbuscertifications.com /4qt4.html
ultimateselena.org /0tpno.html
www.efficientorganizationnw.com /rk1pb.html
trinity-work-shop.test-rackspeed.de /
hosting31.serverhs.org /~ecommerc/zu9iah7.html
www.todotaringa.com /0pya.html
stremyfoot.com /q37hdi.html
www.ganarlaprimitiva.com /g5knqjr.html
manaiz.com /a2w7q.html
caspsurveys.org /zmu2.html
www.ironsidegroup.pk /kq6bz.html
temporary-toilets.com /mczkg.html
0342962.netsolhost.com /716txi.html
babilhotel.com /5bf0html
customcakesnw.com /not8.html
tomralph.net /vsz8c.html
www.panelpeople.com /1060.html
goldencrownhotel.com /zf9w3uh.html
www.launas.fr /jjssgx4.html
dev.crm-warehouse.be /uclt4.html
alassite.com /2hyl0.html
02be375.netsolhost.com /6mu1v.html
evo2inc.com /o3wyn.html
campossaab.net /g1hrhtml
inzanepix.com /19v4sx.html
specialrental.com /p5y6.html
iscsconferencerecording.com /am2wdh.html
www.murciaopina.com /rt5dmy.html
buynanoclean.com /3c6tp7.html
froda.com /5kbnak.html
globaliellc.com /1o36z.html
mslbx.com /~servatus/soexlyy.html
indexpoker.com /
diversco.com /6fxo.html
www.acclaimcabinetscom.au /7xoslgn.html
mvlmobile.in /d34c.html
weightlosspersonaltrainerconsulting.com /1decnf9.html
vandieautomatisering.nl /linhe.html
intestinoirritable.ws /e66uc.html
fmwwrestling.us /gsld0d.html
abeauty.com.au /
sokullupasahotel.com /fvn4upi.html
ants.net.au /yxe4ma.html
lkco.in /a8l876j.html
static-64-184-73-69nocdirect.com /~afroland/eh8jvre.html
damarchesi.it /6m2rdlx.html
trinity-work-shop.de /5t5ub.html
mycountylink.com /f6atze.html
artigianatopasella.com /9ghy.html
ohtobeyoungagain.com /t4cj.html
syedaliahmad.com /3mlnfh.html
www.geelongeisteddfod.com.au /13pspj.html
www.tommysparger.com /ci87qyp.html
nt-ves.ac.th /
diipbmis.nl /l374dcthtml
bakulpharma.com /
etno-plants.ro /
professionalroofingco.uk /vmba.html
altiaproducts.com /29f4.html
dezoetezaak.nl /anxl5.html
ozurfa.com.tr /ras5.html
lexxstore.de /7nsenqhtml
meirmodiin.org /~meirm/kk22.html
siflindia.com /27swn2.html
grapediscounts.com /fjlj9k.html
fastincomebiz.com /hsd6g7b.html
thebeadrotisserie.com /vel42.html
46.23.64.241 /~jamias/lc50sf.html
fastincomesystem.biz /u8g4tn.html
surebg.co.za /xltlgs.html
110.4.42.93 /bx94l.html
www.resourceelementlimited.com /
graph2profit.com /utxfc.html
shriganpatiproduction.net /r05qv4h.html
micrene.com /ivowl1rhtml
pdscientific.com /tl1s.html
www.wanithai.com /u7pv30b.html
ads-protection.com /fs3lax.html
sl3-vgt.vgthosting.com /~worknetw/fj2bvn.html
fb.servatusdev.com /~servdev/56iy2.html
hedy-lamarr.org /n2tgsb.html
niritech.com /pxkf.html
212.68.54.148 /~radyoruz/qsdsw9m.html
www.pushtiieshakti.com /783i.html
empiresallies-secrets.com /k0bayr.html
tarjetaspilos.com /9tvd.html
voongo.com /asfti1/index.html
searchtroop.net /04sh.html
altagallura.it /bd5jhtml
gran-mar.com.ar /4p6sbu7.html
fullart.com.pe /3c55egr.html
sanianishtar.info /7o2dd.html
umtelecom.com /h10krhtml
reformasyreparaciones.com /76kdp.html
206.217.196.47 /~dumpsche/kes773.html
acumenauditors.com.au /vfa9.html
www.rippt.com /t8859u.html
trunghieu.com /hsx1n3r.html
delallosa.com /mtgy99y.html
lainformacion.us /snkk1.html
refritermo.com /j9ps4y.html
www.grahajodoh.com /bqe6zk.html
etakip.com /yg4jl9.html
carifind.com /t718xhhtml
jpvarleyllc.com /kna4wx.html
www.shatteredhope.gr /lnsp.html
autoblog.fastincomesystem.biz /~cheers/gyjde.html
reformhaus-mehnert.de /2vn9yr5.html
indianbookshop.co.in /5b9fgs.html
host272.hostmonstercom /~fdflockc/6xh9l1e.html
enbramex.com /mpvsgi2.html
onlinesurat.com /mb2d.html
surrealtopia.com /hmsuu.html
el-salto-fishing.com /agg0noo.html
simplefact.mx /xln290.html
bofco.in /htrc.html
iznillahcng.com /y5le.html
static-64-184-73-69.nocdirect.com /~afroland/eh8jvre.html
vizonix.com /c1ptwqs/index.html
visionciudadconsultores.com /dwqopc/index.html
winsbyinc.com /0sm9j5/index.html
www.tradehalls.com /8eeh2.html
4income-solutions.com /93e3x.html
locanda-stazzo-bona.com /
jade.nseasy.com /~manishar/7xl9bd.html
GUHDNS.COM /md8g.html
livedata.it /ssao.html
www.manojengg.com /scv2.html
sexshop.com.tr /3igtv8.html
perfumeylenceria.com /joiwku.html
server10.namecheaphosting.com /
freunde-klinik-ottobeuren.de /oryh1.html
floristeriasdecoaromascostarica.com /kh31.html
portalinternational.us /5ecf2z.html
molinas.eu /nz4ot.html
clubfirst.org /2ba0jra.html
thepentad.com /eg3eje/index.html
www.dsmodular.com /qt21ta.html
hotelmarinepalace.com /0493.html
teresita.com.mx /hcrji4t.html
198.63.48.81 /z116c.html
punjnud.com /3sllgkihtml
inkostudio.com /y0ao0c.html
tuncakyavas.com /jfifrpb.html
hkf.huber-babenhausen.de /xyy4dg3.html
watson.timeweb.ru /~kostos/7euyd25.html
vscreative.com /x882.html
lemilano.fr /
labeltula.it /e51rsq.html
www.acclaimcabinets.com.au /
shelterpropertydealers.com /97qf.html
dotmile.com /cvpa4jj.html
www.clubbayard.com /w6kzi.html
myauto.co.nz /odmz0chtml
whydodogs.org /jdab40.html
bigrace2012.com /3ri1vt.html
www.launas-hebergement.com /fj9p1.html
www.neoplastic.gr /0qedzw.html
ittefaqpipe.com /2inp.html
efficientorganizationnw.com /ix84c.html
indosyslife.com /cdwwto.html
newmonicaarts.org /
avicarusa.com /uyxasjr.html
atlantidesardegna.it /61fyvx.html
baratrucks.com /n6j5m.html
heromw.com /602ka.html
web3.biz /4jdsydk.html
eqsync.com /bx5wfm.html
weblinksubmissions.com /1bgypq/index.html
