how-to block ads
[Phish] ADP Phishing e-mails I received a message from ADP (which processes my company's payroll) that was obviously a Phish, the first clue being that it was not payday. The message contained a ZIP file that I declined to open. I forwarded the message to email@example.com and got the following in reply:
Dear Valued Client,
The Critical Incident Response Center (CIRC) within ADPs Global Security Organization has received numerous reports from ADP associates, clients, non-clients and other 3rd parties regarding a rise in the quantity and variety of fraudulent emails
Please note that these emails are not originating from ADP and our analysis has uncovered that these emails either contain malicious attachments or links to malicious websites. ADP is actively working with our security vendors and fraud prevention team to identify and contain the source of this incident.
In addition, ADP has published a Sender Policy Framework (SPF) record for ADPs email systems. Sender Policy Framework is a public, open standard to help prevent the forgery of sender domains and addresses. In order for organizations to take advantage of ADPs SPF record, they must implement specific anti-spam or anti-phishing products that support this framework.
ADP is aware of fraudulent emails with the following subject lines:
· ADP TotalSource Automated Payroll Invoice Notification
· US Airways Reservation
· ADP Payroll Invoice for week ending
· Your ADP Aline Online Account Password
· ADP Reference #
· 2010 and 2011 Tax Documents; Accountants Letter
· 2013 Anti-Fraud Secure Update
· Account Activation
· ADP Major Accounts Changed Issue
· Changelog is Promised
· ADP Pressing Information
· Were Breaking the Contract
· ADP Debit Draft - ES Flexdirect
· Debit Draft - ES Flexdirect
· ADP Urgent Notification
· Your Payroll Is Processed
· ADP Invoice Reminder
· ADP Generated Message: First Notice - Digital Certificate Expiration
· ADP Security Management Update
· ADP Funding Notification Debit Draft
· Your American Express Forgotten User ID
· ADP Speedy Warning
· ADP Immediate Message
· ADP Prompt Message
· ADP Instant Message
· ADP Urgent Announce
· ADP Prompt Notification
· ADP Pressing Notification
If a user inadvertently clicks on a link within the email and suspects that his/her computer system may have become infected, ADP recommends that the individual cease using the computer and contact a qualified IT support professional.
As part of our commitment to protecting your data and to providing you with secure services, we maintain a Trust Center on ADP.com ref »www.adp.com/about-us/trust-cente···rts.aspx Here youll find up-to-date security alerts and examples of some of these recent fraudulent emails. You will also see information on how to report abuse.
Protecting ADP clients and their data from malicious activity has been, and always will be, a top priority for ADP.
If you have any concerns, please dont hesitate to contact our Client Security Management Office via email firstname.lastname@example.org, or on phone at 855-677-7247 (Toll Free)
We've seen a number of ADP "phishing" mails submitted to phishtracker. I think they have all been categorized as "miscellaneous".
They don't seem the be real phish cases. Rather, they appear to be attempts to install malware on a victim's computer. There have been similar mails naming other businesses than ADP - sometimes BBB (Better Business Bureau) for example. My best guess is that the name of the company or organization means little. The malware install attempt is the same, and they are using a variety of business/organization names, hoping that some of those names will get the attention of the mail recipients.
Sometimes there's an attachment, such as a zip file containing malware (seems to be your case). At other times, there appears to be dubious java-scripting, probably trying to exploit a browser weakness.
I look at these on linux, so I'm never sure what would happen to a Windows user. I use "noscript", but I do sometime allow scripting from the site to see what happens. And I often see the cpu load go way up, as the java scripting is running. But I have not looked into the details of what it is trying to do.
AT&T Uverse; Buffalo WHR-300HP router (behind the 2wire gateway); openSuSE 12.3 RC2; firefox 19.0