After a short pause, the failed/cancelled ACH transaction spam is hitting inboxes again. 200,000 of these types of emails had been intercepted by yesterday. The 7-digit number in the subject line changes randomly from email to email, but the embedded link is always the same, say security researchers.
If a user clicks on the email they will be taken through a number of redirections to a malicious web page hosting the ‘BlackHole’ exploit kit which will aim to deliver the Zbot payload. Zbot steals confidential information and opens a back door port to the infected system. VirusTotal reports that 29 from 43 AV solutions currently detection and remediate the malicious files. Update 09/28/11 – the web page hosting the malicious payload has been taken down.