Sawyers & Jacobs LLC
November 13, 2009
NACHA Phishing Alert
A fake email, that appeared to be sent from NACHA (National Automated Clearing House Association), began circulating yesterday.  The spoofed email may contain any of the following subject lines:
 
Rejected ACH Transaction
Please review the transaction report
Rejected ACH transaction, please review the transaction report
Unauthorized ACH transaction
Unauthorized ACH Transaction Report
Your ACH transaction was rejected
Your ACH transaction was rejected by The Electronic Payments Association
 
The email appears to come from the address support@nacha.org with any of the following sender names:
 
ACH Network
Automated Clearing House (ACH)
Electronic Payments Association
NACHA
nacha.org
National Automated Clearing House Association
 
The email directs the user to a fake website that appears to be the NACHA site.  The fake site contains a link that, if clicked, will infect the user's PC, most likely with the Zbot banking Trojan, also known as Zeus, one of the most widespread Trojans in use today.  Zbot is not detected or removed by most anti-virus programs due to its ability to morph.
 
Of our clients who have called us, their anti-virus was not detecting the Trojan.  In one case, the malicious software was only detected because the bank's Managed Security Services Provider (MSSP) noticed unusual traffic emanating from the bank and the infected PC.
 
According to the Symantec website, "This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening."  
 
The Trojan attempts to steal login information and other sensitive data from the infected computer.
 
What should you do?  Our advice: 
  1. Send an alert to all bank employees asking if anyone has received an email like the one described above
  2. Educate bank employees on this latest threat, via the alert
  3. Ensure anti-virus is running, up-to-date, and active on all machines
  4. Determine if any unusual activity has been detected by your bank's anti-virus software
  5. Check with your Managed Security Services Provider (MSSP) and ask if any unusual traffic is emanating from the bank's network
  6. Determine if any unauthorized ACH transactions have been originated 
  7. Remain diligent and aware of this threat, and ones like it that seek to infect bank, and bank customer, systems
  8. Follow your bank's business continuity plan or incident response plan to ensure that only authorized bank spokespersons communicate with the media
Anti-virus software is your first line of defense against these threats but it should not be your only defense.  Again, this threat is not detected or removed by most anti-virus software.  A layered security strategy is the best defense, as those with MSSPs are discovering.
 
Visit the NACHA and the Southern Financial Exchange web sites for more information and updates. 
 
To our clients, please call us if you need our help to research or remove this latest threat.
 
At Sawyers & Jacobs, we only send these alerts when we believe the situation warrants and when we believe our clients and contacts need this critical information to mitigate their risk. 
Sawyers & Jacobs LLC
1085 Halle Park Circle, Suite 101
Collierville, Tennessee  38017 
(901) 487-2575 Phone
(866) 488-4933 Fax