ADP spams lead to a nasty surprise

It being the end of the month, a Friday and the end of a calendar quarter has many of us thinking about getting paid. Mmmmm payday always feels good.

Unfortunately the scammers are trying to create their own payday and have moved from pretending to be NACHA, to impersonating payroll processing company ADP.

We are seeing two variants of the mail. One is simply a plain text message with the subject “ADP Funding Notification – Debit Draft” instructing you to click a link to view your transaction report.

The second is more professional looking and suggests to human resource specialists that ADP is upgrading its security processes and you need to login and be trained on the new procedures.

ADP spam

I was expecting this to be a well crafted phishing campaign on first look, but this time it’s malicious.

The links in all of the messages we have received redirect to compromised websites that attempt to load malicious JavaScript that has all of the telltale signs of the Blackhole exploit kit.

If you were to visit these pages (don’t be foolish!) Sophos detects the malicious JavaScript as Troj/JSRedir-GZ and Troj/JSRedir-H. We also detect the eventual payload as Troj/Dloadr-DPB.

Sophos anti-spam products are blocking these messages as spam as another layer of defense-in-depth.

Don’t click links in email folks. It’s 2012 and we have been saying this for over 10 years now. Think before you click.

Thank you to Savio Lau from SophosLabs for alerting me to this scam.