Sponsored by..

Thursday, 13 September 2012

ADP spam / 46.249.37.122

This fake ADP spam tries to load malware from 46.249.37.122:

From: ADP_Online_Invoice_DoNotReply@adp.com ADP_Online_Invoice_DoNotReply@adp.com
Date: 13 September 2012 14:29
Subject: ADP Invoice Reminder

Your latest ADP Dealer Services Invoice is now available to view or pay online at ADP Online Invoice Management .

To protect the security of your data, you will need to enter your ID and password, then click on Access your Online Invoice Management account.

Total amount due by September 13, 2012

$17202.04

If you have already sent your payment please disregard this friendly reminder and Thank you for choosing ADP.

Questions about your bill?

Contact David Nieto by Secure Mail.

Note: This is an automated email. Please do not reply. 

After clicking the link bouncing through a couple of redirectors, the victim ends up at [donotclick]46.249.37.122/links/systems-links_warns.php which appears to be generating a 404 error (although it could be fake). This could be a legitimate but hacked server as it is also the IP address for a proxy service called dutchprox.com. In any case, you might decide you want to block the IP just in case.

2 comments:

Kafeine said...
This comment has been removed by the author.
Kafeine said...

BH EK 2.0. New Anti-Forensic technics
Referer + fresh IP may be needed.
You can try landing on this server with landings you add in the past
Like Here :
http://blog.dynamoo.com/2012/09/linkedin-spam-1081785926-and.html
(reverse proxy of same server that has been upgrade since then)