From: ClientService@adp.com [ClientService@adp.com]
Date: 22 October 2013 18:04
Subject: ADP RUN: Account Charge Alert
ADP Urgent Communication
Note ID: 33400
October, 22 2013
Valued ADP Partner
Account operator with ID 58941 Refused Yesterday Payroll Operation from your ADP account recently. Report(s) have been uploaded to the website:
Sign In here
Please see the following notes:
• Please note that your bank account will be debited within 1 banking day for the total shown on the Summary(s).
• Please don't try to reply to this message. auto informer system can't accept incoming email. Please Contact your ADP Benefits Specialist.
This notification was sent to current clients in your system that approach ADP Netsecure.
As always, thank you for choosing ADP as your business partner!
Note ID: 33400
The link goes through a legitimate hacked site and then onto a malware landing page at [donotclick]abrakandabr.ru:8080/adp.report.php (if running Windows, else they get sent to adp.com). This is hosted on quite a lot of IP addresses:
184.108.40.206 (RapidDSL & Wireless, US)
220.127.116.11 (TOV Adamant-Bild, Ukraine)
18.104.22.168 (NTT Communications, Japan)
22.214.171.124 (Chunghwa Telecom, Taiwan)
126.96.36.199 (Chunghwa Telecom, Taiwan)
188.8.131.52 (TANET, Taiwan)
184.108.40.206 (TSKL, Kiribati)
220.127.116.11 (MYREN, Malaysia)
18.104.22.168 (Commission For Science And Technology, Pakistan)
22.214.171.124 (Prox Communicator, Japan)
126.96.36.199 (Hoster.KZ, Kazakhstan)
188.8.131.52 (BBC Cable, Bulgaria)
As mentioned before, this is either the return of the infamous RU:8080 gang, or it is somebody pretending to be the gang. But one rather peculiar factor is that in this case the bad guys only seem to have a small pool of servers that have been compromised for some time, and don't seem to have added any news ones.