Sponsored by..

Friday 15 March 2013

ADP Package Delivery Confirmation spam / picturesofdeath.net

 This fake ADP spam leads to malware on the jollily-named picturesofdeath.net:

From: ADP Chesapeake Package Delivery Confirmation [mailto:do_not_reply@adp.com]
Sent: 15 March 2013 14:45
Subject: =?iso-8859-1?Q?ADP Chesapeake - Package Delivery Notification
Importance: High

This message is to notify you that your package has been processed and is on schedule for delivery from ADP.

Here are the details of your delivery:
Package Type: QTR/YE Reporting
Courier: UPS Ground
Estimated Time of Arrival: Tusesday, 5:00pm
Tracking Number (if one is available for this package): 1Z023R643116536498

Details: Click here to overview and/or modify order

We will notify you via email if the status of your delivery changes.

--------------------------------------------------------------------------------

Access these and other valuable tools at support.ADP.com:
o Payroll and Tax Calculators
o Order Payroll Supplies, Blank Checks, and more
o Submit requests online such as SUI Rate Changes, Schedule Changes, and more
o Download Product Documentation, Manuals, and Forms
o Download Software Patches and Updates
o Access Knowledge Solutions / Frequently Asked Questions
o Watch Animated Tours with Guided Input Instructions

Thank You,
ADP Client Services
support.ADP.com

--------------------------------------------------------------------------------

This message and any attachments are intended only for the use of the addressee and may contain information that is privileged and confidential. If the reader of the message is not the intended recipient or an authorized representative of the intended recipient, you are hereby notified that any dissemination of this communication is strictly prohibited. If you have received this communication in error, notify the sender immediately by return email and delete the message and any attachments from your system.
The malicious payload is at [donotclick]picturesofdeath.net/kill/long_fills.php (report here) hosted on:

24.111.157.113 (Midcontinent Media, US)
155.239.247.247 (Centurion Telkom, South Africa)

Blocklist:

advarcheskiedela.ru
arhangelpetrov.ru
fenvid.com
gatovskiedelishki.ru
iberiti.com
metalcrew.net
notsk.com
picturesofdeath.net
porftechasgorupd.ru
roadix.net
sawlexmicroupdates.ru
secureaction120.com
secureaction150.com

No comments: