Fake anti-virus attack spread via bogus ADP anti-fraud update emails

Filed Under: Fake anti-virus, Featured, Malware, Spam

ADP logoUsers are slowly getting the message that it is important to keep their computers updated with the latest security patches, with zero-day bugs in Internet Explorer and Java making the headlines with disturbing regularity.

The bad news is that online criminals can actually exploit increased awareness about security for their own malicious ends.

Take one current malware campaign, for instance, which has been spammed out widely posing as a security update from payroll processing company ADP.

The emails, which have subject lines including "ALERT! From ADP: 2013 Anti-Fraud Secure Update" and "2013 Anti-Fraud Secure Update", have a ZIP file attached containing a malicious payload.

Example malicious email. Click for a full, larger version

Part of the malicious email reads:


2013 Anti-Fraud Secure Update

Dear Valued ADP Client,

We are pleased to announce that ADP Payroll System released secure upgrades to your computer.

A new version of secure update is available.

Our development division strongly recommends you to download this software update.

It contains new features:

  • The certificate will be attached to the computer of the account holder, which disables any fraud activity
  • Any irregular activity on your account is detected by our safety centre

Download the attachment. Update will be automatically installed by double click.

We value our partnership with you and take pride in the confidence that you place in us to process payroll on your behalf. As always, your ADP Service Team is happy to assist with any questions you may have.

A regular computer user who has been following the security news about patches for Internet Explorer and Java might well think they're being smart if they open the attachment... but the truth is that they will be falling straight into the malicious hackers' trap.

Sophos products detect the malware contained inside the attached "2013 Anti-Fraud Secure Update.zip" file as Mal/FakeAV-OY, a fake anti-virus program.

If you're running a firewall, it may block the fake anti-virus product's attempt to connect with the outside world.

Windows firewall blocking the fake anti-virus

Fake anti-virus software, also known as scareware, commonly pops up spooky-looking warnings that a user's computer is infected with malware, even though it does not. The software then offers to clean-up the infection, but demands payment first.

Of course, you've then given your credit card details to someone who has already proved themselves not above dirty tricks. Don't be surprised if your problems have only just begun.

Check out this YouTube video, where Fraser Howard from our labs describes fake anti-virus software:

(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like)

The lesson here is clear. It's good to be interested in computer security, and to take notice of security warnings and the latest updates when they become available.

But you also need to check who is giving you the security advice.

Because if the person who is telling you to install a security update can't be trusted, or isn't who they claim to be, there's a chance you could be heading into even bigger danger.

, , , ,

You might like

5 Responses to Fake anti-virus attack spread via bogus ADP anti-fraud update emails

  1. Tim Sherner · 994 days ago

    Sophos are best in getting FakeAV for the last few years. Well done sophos keep up the good work.

  2. Freida Gray · 994 days ago

    The part about attaching the certificate to the computer of the account holder is the part that gives me some concern & would likely cause me to turn the "update" down.

  3. Nigel · 994 days ago

    I already knew most of what Fraser covered in the video (except the part about fake AV pages piggy-backing on legitimate sites...and that doesn't surprise me), but it was helpful to watch it anyway. It's part of the daily dose of heightened security awareness that NakedSecurity provides. Thanks Sophos!

  4. snert · 993 days ago

    I ALWAYS!!! use a sandbox for any/everything to do with the internet. After I see what the thingy tries to do, I MIGHT trust it enough to install it on my system. I got messed with big time several years ago with a fake AV. I had to reinstall my OS and jump through burning hoops with MicroSucks because of the damage done. Once bitten...

  5. Clinton Sleath · 993 days ago

    This is an important comment that applies to many digital things. These documents should never have background music. The music divides my concentration and can prevent understanding. It is difficult enough to understand many peoples' way of speaking and the pace they speak at. I am sure this varies greatly between people often depending on their background for example this speaker sounds clear but for me is difficult to understand. This happens on TV and even effects some news readers. It is a combination of both the presenter and the listner. Some documentries on TV are completly unintelligible due to this effect.
    I hope this is helpful.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog at https://grahamcluley.com, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Follow him on Twitter at @gcluley