Sponsored by..

Friday 26 October 2012

ADP Spam / steamedboasting.info

This fake ADP spam leads to malware on steamedboasting.info:

From: ClientService@adp.com [mailto:ClientService@adp.com]
Sent: 26 October 2012 12:03
Subject: ADP Instant Notification


ADP Urgent Warning
Reference #: 31344
Dear ADP Client October, 25 2012
Your Transfer Summary(s) have been uploaded to the web site:
https://www.flexdirect.adp.com/client/login.aspx
Please take a look at the following information:
• Please note that your bank account will be charged within 1 banking day for the amount(s) specified on the Statement(s).
•Please DO NOT reply to this message. automative notification system cannot accept incoming messages. Please Contact your ADP Benefits Specialist.
This note was sent to existing users in your company that approach ADP Netsecure.
As always, thank you for choosing ADP as your business companion!
Ref: 31344
The malicious payload is at [donotclick]steamedboasting.info/detects/burying_releases-degree.php, the initial redirection page has some Cloudflare elements on it which is a bit disturbing. steamedboasting.info is hosted on 195.198.124.60 (Skand Meteorologi och Miljoinstr AB, Sweden).

This is an alternative variant with the same malicious payload:


Date:      Fri, 26 Oct 2012 16:32:10 +0530
From:      "noreply@adp.com" [noreply@adp.com]
Subject:      ADP Prompt Communication


ADP Speedy Notification

Reference #: 27585

Dear ADP Client October, 25 2012

Your Transaction Statement(s) have been put onto the web site:

Web site link

Please see the following notes:

• Please note that your bank account will be charged-off within 1 banking business day for the amount(s) specified on the Protocol(s).

?Please do not reply to this message. automative notification system can't accept incoming mail. Please Contact your ADP Benefits Specialist.

This message was sent to operating users in your company that approach ADP Netsecure.

As always, thank you for choosing ADP as your business partner!

Ref: 27585 [redacted]



No comments: