ADP spams lead to a nasty surprise

Filed Under: Malware, Spam

It being the end of the month, a Friday and the end of a calendar quarter has many of us thinking about getting paid. Mmmmm payday always feels good.

Unfortunately the scammers are trying to create their own payday and have moved from pretending to be NACHA, to impersonating payroll processing company ADP.

We are seeing two variants of the mail. One is simply a plain text message with the subject "ADP Funding Notification - Debit Draft" instructing you to click a link to view your transaction report.

The second is more professional looking and suggests to human resource specialists that ADP is upgrading its security processes and you need to login and be trained on the new procedures.

ADP spam

I was expecting this to be a well crafted phishing campaign on first look, but this time it's malicious.

The links in all of the messages we have received redirect to compromised websites that attempt to load malicious JavaScript that has all of the telltale signs of the Blackhole exploit kit.

If you were to visit these pages (don't be foolish!) Sophos detects the malicious JavaScript as Troj/JSRedir-GZ and Troj/JSRedir-H. We also detect the eventual payload as Troj/Dloadr-DPB.

Sophos anti-spam products are blocking these messages as spam as another layer of defense-in-depth.

Don't click links in email folks. It's 2012 and we have been saying this for over 10 years now. Think before you click.

Thank you to Savio Lau from SophosLabs for alerting me to this scam.

, , , ,

You might like

One Response to ADP spams lead to a nasty surprise

  1. Shirley · 740 days ago

    Thank you for this article. I've just had a few days off and my junk mail folder has several of these as well as sooooo much other garbage. I doubted the authenticity, so Googled with "hoax" and sure enough, it is. There were several articles saying so but yours is the one that stuck out.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on App.net as Chester, Chester Wisniewski on Google Plus or send him an email at chesterw@sophos.com.