“ACH Payment Canceled” spam leads to malware

After a short pause, the failed/cancelled ACH transaction spam is hitting inboxes again.

Since yesterday, Websense has intercepted over 200,000 of the following emails:

The 7-digit number in the subject line changes randomly from email to email, but the embedded link is always the same, say the researchers.

A click on it takes the victim through a series of redirections to a malicious web page hosting the BlackHole exploit kit, whose ultimate goal is to open the door for the installation of a Zbot variant that steals confidential data and opens a backdoor on the infected computer.

The variant is currently detected by 29 of the 43 AV solutions VirusTotal uses to check potentially malicious files, so the majority of users who keep their AV software updated should be safe. Also, the web page hosting the exploit kit has been taken down for the time being.

Nevertheless, users are warned never to follow embedded links in unsolicited emails and to be aware that warning such as these are rarely legitimate. If in doubt, it is always best to check with one’s bank or financial institution via phone whether they have sent the email.