Sponsored by..

Saturday 9 February 2013

ADP spam / 048575623_02082013.zip

This fake ADP spam comes with a malicious attachment:

Date:      Fri, 8 Feb 2013 18:26:05 +0100 [12:26:05 EST]
From:      "ops_invoice@adp.com" [ops_invoice@adp.com]
Subject:      ADP Payroll Invoice for week ending 02/08/2013 - 01647

Your ADP Payroll invoice for last week is attached for your review. If you have any questions regarding this invoice, please contact your ADP service team at the number provided on the invoice for assistance.

Thank you for choosing ADP Payroll.

Important: Please do not respond to this message. It comes from an unattended mailbox.
In this case there was a ZIP file called 048575623_02082013.zip (this may vary) with an attachment 048575623_02082013.exe designed to look like a PDF file.

VirusTotal identifies it as a Zbot variant. According to ThreatExpert, the malware attempts to connect to the following hosts:

eyon-neos.eu
quest.social-neos.eu
social-neos.eu

These may be legitimate hacked domains, but if you are seeing unexpected traffic going to them then it could be a Zbot indicator.





5 comments:

Matthew Harris Law, PLLC said...

Excellent Info. I just received the same email. Thanks for your help!

Unknown said...

The biggest issue here is that ADP.com doesn't have an SPF record.

Trend pulled the emails out entirely for a lot of people, but some it only blocked the attachment. Luckily no one seems to have received the attachment at all.

Conrad Longmore said...

@Brian: blocking EXE-in-ZIP files at the perimeter tends to be effecting.. but an SPF record would certainly help to tag the critters too!

Unknown said...

@Conrad: blocking the EXE-ZIP sounds good, but then we're back in hyper-paranoid land where you can't send someone a file via email.

I ran a DNSStuff report on ADP.com and the SPF record is the least of their worries...

They actually have an SPF formatted TXT record so they are good there, but they are running open relay and the SPF basically says that everyone can send mail through them as long as they use the right domain names.

Conrad Longmore said...

@Brian, well.. you know, you set your policy depending on the perceived threats to your organization. But I share your concerns about ADP. ADP spam is common because it *works* - a lot of companies use it, so an email from ADP is not unexpected. But, I'm not convinced that many end users actually look at the adp.com email address anyway - there's always a hard core of individuals who will click on anything at all..