Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
I've come across two incidents within three days, both seemingly isolated but, according to an FBI news release (January 2012), were actually two stages of a single money-laundering operation.
The email looks genuine, it has an order ID number, and both sender addresses here belong to legitimate companies. But as with most email scams, this one doesn't include the recipient's full name (or other personal details). As we'll see, the email wasn't actually sent by NACHA. So, the link took me to an insecure, non-functioning orders page hosted by some Indian service provider. In this case the link should have pointed to an installer (disguised as a 'Direct Deposit program') planted there by the criminal for a variant of the Zeus malware. If installed on the average PC, the malware would later exfiltrate whatever bank account details to a C&C server. It might also provide some remote access functions for the attacker, or add the victim's computer to a botnet. Unfortunately there was no malware here to download and play around with. In short, the email was crafted to trick the recipient into installing Trojan malware. There are numerous versions of this, involving fake sites, online forms designed to look like the real thing, etc. What else is happening? Let's look at some information hiding in the the email's extended headers:
ContentType:multipart/alternative;boundary="07030900108010508050501" Date:Fri,9Nov201211:09:06+0300[11/09/1208:09:06GMT] From:noreply@direct.nacha.org<blendedz@taskmortgage.com> MIMEVersion:1.0MessageID:<********.*******@afet.or.th> Received: (qmail10237invokedfromnetwork);9Nov201215:08:29+0000fromunknown(HELO afet.or.th)(***.***.***.***)by******.*******.comwithSMTP;9Nov201215:08:29 +0000fromriahfrgtdjggshirf(192.168.1.52)byriahfrgtdjggshirf.tcsn.net (***.***.***.***)withMicrosoftSMTPServerid8.0.***.***;Fri,9Nov2012 11:09:06+0300
The extended headers, particularly the Received field, are very useful in these situations because they identify the server that originally sent the email and how the email was routed. Reading from the bottom up, we can see it was authored by someone with the email address riahfrgtdjggshirf@tcsn.net, using a mail server at <IP address>. Both InfoSniper and whois searches revealed this IP address belonged to someone in The Peoples' Republic of Belarus, and since it was a fixed address, it most likely belonged to another hosting provider.
Summary
As I've mentioned, the FBI news release pointed out a connection between those sending the fake NACHA emails, and the incident in which money was taken from a victim's account as part of the Web Star fraud. Assuming that news release was accurate, the following would have happened: A scam email is sent out by a mail server in The Peoples' Republic of Belarus, socially engineering people into downloading an installer for a variant of the Zeus malware. Once installed on the victim's computer, the malware sends the bank account details to a C&C server run by the attacker. In this case, the attacker bills the victims' accounts, transferring the money to several other victims who relay it to another criminal in the belief they're conducting transactions for a legitimate company as part of a 'work from home' scheme.
References
BOBBEAR. 2009. Web Star Fraud. [WWW]. http://www.bobbear.co.uk/archived_frauds/webstar.html. (10th November 2012). FEDERAL BUREAU OF INVESTIGATION. 2012. Malware Targets Bank Accounts. [WWW]. http://www.fbi.gov/news/stories/2012/january/malware_010612. (10th November 2012). GFI LABS. 2012. GFI Software - Malicious spam alerts. [Online Image]. http://gfisoftware.tumblr.com/post/34700052148/malicious-nacha-direct-deposit-spam. (10th November 2012). WIKIPEDIA. 2012. Zeus (Trojan Horse). [WWW]. http://en.wikipedia.org/wiki/Zeus_%28Trojan_horse %29. (10th November 2012).
XeroCrypt Security and Forensics https://xerocrypt.wordpress.com