Sponsored by..

Thursday, 24 January 2013

ADP spam / 14.sofacomplete.com

This fake ADP spam leads to malware on 14.sofacomplete.com:

From:     Erna_Thurman@ADP.com Date:     24 January 2013 17:48
Subject:     ADP Generated Message: Final Notice - Digital Certificate Expiration

This e-mail has been sent from an automated system. PLEASE DO NOT REPLY. If you have any questions, please contact your administrator for assistance.

---------------------------------------------------------------------
Digital Certificate About to Expire
---------------------------------------------------------------------
The digital certificate you use to access ADP's Internet services is about to expire. If you do not renew your certificate by the expiration date below, you will not be able to access ADP's Internet services.

Days left before expiration: 1
Expiration date: Jan 25 23:59:59 GMT-03:59 2013

--------------------------------------------------------------------
Renewing Your Digital Certificate
---------------------------------------------------------------------
1. Go to this URL: https://netsecure.adp.com/pages/cert/register2.jsp

2. Follow the instructions on the screen.

3. Also you can download new digital certificate at https://netsecure.adp.com/pages/cert/pickUpCert.faces.

---------------------------------------------------------------------
Deleting Your Old Digital Certificate
---------------------------------------------------------------------
After you renew your digital certificate, be sure to delete the old certificate. Follow the instructions at the end of the renewal process.

The malicious payload is at [donotclick]14.sofacomplete.com/read/saint_hate-namely_fails.php hosted on 173.246.103.26 (Gandi, US). These other malicious domains are also visible, there may be more:

14.sofacomplete.com
14.onlinecollegecomplete.com
14.technicianinformations.com

Update, these additional sites are on the same server:
14.internationalscholarships.org
14.igeekygadgets.com

No comments: