Exploits posing as messages from payroll company ADP

Filed Under: Java, Malware, Phishing, Spam, Vulnerability

ADP logoA malware campaign has targeted organizations with fake emails from payroll service companies such as ADP.

The Internet Storm Center (ISC) is reporting that for the past few weeks, crooks have been disguising malicious email under the guise of multiple payroll management service companies.

ADP is a prominent example.

On its security alerts page, ADP has a list of fraudulent emails that it has detected. Regular readers of Naked Security will remember that we have warned of attacks posing as messages from ADP before.

The most recent bogus email bears the subject header "ADP Generated Message: First Notice - Digital Certificate Expiration".

ADP email

The emails direct recipients to click on a link, informing their would-be victims that:

"The digital certificate used to access ADP’s Internet services is about to expire."

The ISC is reading this as a targeted attack, given that the average recipient would have "no idea who or what ADP is" and would therefore be "highly unlikely to 'click'."

I disagree. ADP is a common name associated with paychecks. It certainly stimulates the neurons associated with money in my brain.

But the ISC is right in stating that HR/Payroll professionals would be the most likely to click, given how alarmed they'd be at the notion of the company's payroll access getting yanked.

One ISC reader, Richard, sent in a link that was easy to identify as a redirect, given that hovering over the link showed its true, non-ADP, certainly not an https:// secure, destination.

Phishing, courtesy of ShutterstockThose who neglected to hover before clicking were redirected via three other sites, eventually winding up at 50.116.36.175, or what the ISC calls "a very temporary home on what looks like a rented Linux Vserver."

From that rented server, the exploits were seeded.

One of the exploits was CVE-2012-1723, a Java vulnerability that Oracle fixed in June.

The flaw flowered in July, with attacks steadily climbing throughout the month, as depicted in a post by Jeong Wook Oh of the Microsoft Malware Protection Center.

One odd thing about this vulnerability was the difficulties it presented to attackers who tried to disguise what it was up to, Oh said. In fact, attackers have to build a Java class with specific attributes to do so.

Oh described how tricky it is to obfuscate this one:

...the attackers need to create a class with specific features like static field member with ClassLoader type or Object type. … Java doesn't provide ways to obfuscate this class structure itself, so the code pattern stands out. You can easily identify the pattern just by statically investigating the code. Easy identification of exploit code might be an advantage for malware analysts, and it makes the vulnerability a little bit less attractive to malware writers.

Nonetheless, attack authors managed to do a good job hiding the exploits behind the recent ADP scheme.

Scam, courtesy of ShutterstockAccording to the ISC, the anti-virus detection rate is low, mostly because the exploit uses encoding.

However, it's comforting to report that users of Sophos products *are* protected - detecting the malware as Troj/JavaDl-FC.

Nevertheless, it still makes sense for all users of the Java JRE to make sure that they are patched. After all, you wouldn't malware to end up on your HR computers, potentially stealing passwords and login information or giving access to an unauthorised third party.

Even better, uninstall Java JRE entirely if your computers don't have any requirement for it.

Good luck getting paid without getting scammed, and here's hoping your company's HR/Payroll people know enough not to click on dodgy links.

Phishing and Scam images, courtesy of Shutterstock.

, , , , , , ,

You might like

2 Responses to Exploits posing as messages from payroll company ADP

  1. jes · 715 days ago

    I agree that using ADP will get a lot of attention. I can't remember a job that I've had that didn't use ADP as a payroll service.

    My husband works for a fast food chain that recently stopped using paper stubs for employees who receive direct deposit. Instead, each employee has a VPN-style connection to view their information. Since this is usually done at the store, but could also (I believe) be done from home, you have hundreds of store computers at risk as well as potentially thousands of home systems.

  2. DLC · 520 days ago

    Just got hit with a new variant of this. 2/19/13

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

I've been writing about technology, careers, science and health since 1995. I rose to the lofty heights of Executive Editor for eWEEK, popped out with the 2008 crash, joined the freelancer economy, and am still writing for my beloved peeps at places like Sophos's Naked Security, CIO Mag, ComputerWorld, PC Mag, IT Expert Voice, Software Quality Connection, Time, and the US and British editions of HP's Input/Output. I respond to cash and spicy sites, so don't be shy.