Is 2009 The Year of The Phish?
From every conceivable source they keep coming: Phishers targeting every brand name, financial institution, industry association, federal regulatory agency to get to their data-laden targets.
Earlier this fall it was the FDIC that was spoofed, along with other federal agencies and government leaders, including the U.S. Attorney General, Eric Holder. The latest target is NACHA, the Electronic Payments Association that oversees the Automated Clearing House (ACH) network. NACHA warned last week that fraudulent emails with "Rejected ACH Transaction" in the subject line are showing up in inboxes everywhere. The emails include links that redirect recipients to a fake website that appears to be the real NACHA website. The website contains a link that is suspected to be an executable with malware, mainly the Zeus Trojan.
NACHA warned last week that fraudulent emails with "Rejected ACH Transaction" in the subject line are showing up in inboxes everywhere.
"NACHA itself does not process nor touch the ACH transactions that flow to and from organizations and financial institutions," the organization says in its alert. "NACHA does not send communications to individuals or organizations about individual ACH transactions that they originate or receive."
The Zeus Trojan, also called Zbot, is the Trojan being used to steal online banking credentials of small and midsized businesses, and then used to steal money from those businesses via fraudulent ACH transactions.
But wait, there's more! Last night the FBI issued an alert warning law offices and PR companies that they are now being targeted with these phishing emails. It's a similar scenario: A fraudulent "spear phishing" email is sent, targeting a person within the firm to get them to open a file, or click on a link ... all with the same goal, to compromise the person's computer and steal data, passwords and anything else of value.
Phishers should be ready to face the price, as did the 100 phishers netted in Operation Phish Phry earlier this fall. But until there is a bigger net to catch all of the phishers out there, we'll have to keep public education about these scams at top of mind.