A malware campaign has targeted organizations with fake emails from payroll service companies such as ADP.
The Internet Storm Center (ISC) is reporting that for the past few weeks, crooks have been disguising malicious email under the guise of multiple payroll management service companies.
ADP is a prominent example.
On its security alerts page, ADP has a list of fraudulent emails that it has detected. Regular readers of Naked Security will remember that we have warned of attacks posing as messages from ADP before.
The most recent bogus email bears the subject header “ADP Generated Message: First Notice – Digital Certificate Expiration”.
The emails direct recipients to click on a link, informing their would-be victims that:
"The digital certificate used to access ADP’s Internet services is about to expire."
The ISC is reading this as a targeted attack, given that the average recipient would have “no idea who or what ADP is” and would therefore be “highly unlikely to ‘click’.”
I disagree. ADP is a common name associated with paychecks. It certainly stimulates the neurons associated with money in my brain.
But the ISC is right in stating that HR/Payroll professionals would be the most likely to click, given how alarmed they’d be at the notion of the company’s payroll access getting yanked.
One ISC reader, Richard, sent in a link that was easy to identify as a redirect, given that hovering over the link showed its true, non-ADP, certainly not an https:// secure, destination.
Those who neglected to hover before clicking were redirected via three other sites, eventually winding up at 22.214.171.124, or what the ISC calls “a very temporary home on what looks like a rented Linux Vserver.”
From that rented server, the exploits were seeded.
One of the exploits was CVE-2012-1723, a Java vulnerability that Oracle fixed in June.
The flaw flowered in July, with attacks steadily climbing throughout the month, as depicted in a post by Jeong Wook Oh of the Microsoft Malware Protection Center.
One odd thing about this vulnerability was the difficulties it presented to attackers who tried to disguise what it was up to, Oh said. In fact, attackers have to build a Java class with specific attributes to do so.
Oh described how tricky it is to obfuscate this one:
...the attackers need to create a class with specific features like static field member with ClassLoader type or Object type. … Java doesn't provide ways to obfuscate this class structure itself, so the code pattern stands out. You can easily identify the pattern just by statically investigating the code. Easy identification of exploit code might be an advantage for malware analysts, and it makes the vulnerability a little bit less attractive to malware writers.
Nonetheless, attack authors managed to do a good job hiding the exploits behind the recent ADP scheme.
According to the ISC, the anti-virus detection rate is low, mostly because the exploit uses encoding.
However, it’s comforting to report that users of Sophos products *are* protected – detecting the malware as Troj/JavaDl-FC.
Nevertheless, it still makes sense for all users of the Java JRE to make sure that they are patched. After all, you wouldn’t malware to end up on your HR computers, potentially stealing passwords and login information or giving access to an unauthorised third party.
Even better, uninstall Java JRE entirely if your computers don’t have any requirement for it.
Good luck getting paid without getting scammed, and here’s hoping your company’s HR/Payroll people know enough not to click on dodgy links.