ADP spams lead to a nasty surprise

by Chester Wisniewski on June 29, 2012 | 1 Comment

Filed Under: Malware, Spam

It being the end of the month, a Friday and the end of a calendar quarter has many of us thinking about getting paid. Mmmmm payday always feels good.

Unfortunately the scammers are trying to create their own payday and have moved from pretending to be NACHA, to impersonating payroll processing company ADP.

We are seeing two variants of the mail. One is simply a plain text message with the subject "ADP Funding Notification - Debit Draft" instructing you to click a link to view your transaction report.

The second is more professional looking and suggests to human resource specialists that ADP is upgrading its security processes and you need to login and be trained on the new procedures.

ADP spam

I was expecting this to be a well crafted phishing campaign on first look, but this time it's malicious.

The links in all of the messages we have received redirect to compromised websites that attempt to load malicious JavaScript that has all of the telltale signs of the Blackhole exploit kit.

If you were to visit these pages (don't be foolish!) Sophos detects the malicious JavaScript as Troj/JSRedir-GZ and Troj/JSRedir-H. We also detect the eventual payload as Troj/Dloadr-DPB.

Sophos anti-spam products are blocking these messages as spam as another layer of defense-in-depth.

Don't click links in email folks. It's 2012 and we have been saying this for over 10 years now. Think before you click.

Thank you to Savio Lau from SophosLabs for alerting me to this scam.

Tags: , , , ,

One Response to ADP spams lead to a nasty surprise

  1. Shirley says:
    October 14, 2012 at 10:22 pm

    Thank you for this article. I've just had a few days off and my junk mail folder has several of these as well as sooooo much other garbage. I doubted the authenticity, so Googled with "hoax" and sure enough, it is. There were several articles saying so but yours is the one that stuck out.

    Reply Report comment

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title="" rel=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <pre> <q cite=""> <strike> <strong>

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski or send him an email at chesterw@sophos.com.