Date: Thu, 10 Jan 2013 17:48:09 +0200 [10:48:09 EST]
From: "ADPClientServices@adp.com" [ADPClientServices@adp.com]
ADP Urgent Note
Note No.: 33469
Respected ADP Consumer January, 9 2013
Your Processed Payroll Record(s) have been uploaded to the web site:
Click here to Sign In
Please take a look at the following details:
• Please note that your bank account will be debited within one banking day for the amount(s) specified on the Protocol(s).
� Please don't reply to this message. auomatic informational system not configured to accept incoming mail. Please Contact your ADP Benefits Specialist.
This notification was sent to current clients in your company that approach ADP Netsecure.
As general, thank you for choosing ADP as your business butty!
The malicious payload is on [donotclick]tetraboro.net/detects/coming_lost-source.php hosted on 126.96.36.199 (Hanaro Telecom, Korea). A quick look indicates a number of related malicious domains and IPs, including advertizing1.com through to advertizing9.com. All of these should be blocked.
188.8.131.52 (OVH, France - suballocated to premiervps.net, UK)
184.108.40.206 (VooServers, UK)
220.127.116.11 (Ecatel, Netherlands)
18.104.22.168 (China Science & Technology Network, China)
22.214.171.124 (New Wave Netconnect, US)
126.96.36.199 (Quickpacket, US)
188.8.131.52 (China Telecom, China)
184.108.40.206 (Hanaro Telecom, Korea)