Sponsored by..

Thursday 20 June 2013

ADP spam / planete-meuble-pikin.com

This fake ADP spam leads to malware on planete-meuble-pikin.com:

Date:      Thu, 20 Jun 2013 07:12:28 -0600
From:      EasyNetDoNotReply@clients.adpmail.org
Subject:      ADP EasyNet: Bank Account Change Alert

Dear Valued ADP Client,

As part of ADP's commitment to provide you with exceptional service, ADP is taking additional steps to ensure that your payroll data is secure. Therefore, we are sending you this e-mail as a security precaution to confirm that you have added or changed a bank account for the following employee(s) on your account:

** Dominic Johnson **
** Ayden Campbell **

Use this links to: Review or Decline this changes.

If you have not made and authorized this bank account change, please contact your ADP Service Team immediately.

This security precaution is another reason why so many businesses like yours choose ADP, the world's leading payroll provider for over 60 years, to handle their payroll.
Sincerely,

Your ADP Service Team

This e-mail comes from an unattended mailbox. Please do not reply.
The link in the email goes through a legitimate but hacked site and end up on a malware landing page at [donotclick]planete-meuble-pikin.com/news/network-watching.php (report here) hosted on:
173.254.254.110 (Quadranet, US)
190.93.23.10 (Greendot, Trinidad and Tobago)
193.147.61.250 (Universidad Rey Juan Carlos, Spain)
193.254.231.51 (Universitatea Transilvania Brasov, Romania)
202.147.169.211 (LINKdotNET, Pakistan)

Recommended blocklist:
173.254.254.110
190.93.23.10
193.147.61.250
193.254.231.51
202.147.169.211
appasnappingf.com
condalinarad72234652.ru
condalinneuwu5.ru
condalinra2735.ru
condalnuas34637.ru
condalnuashyochetto.ru
diamondbearingz.net
drivesr.com
eheranskietpj.ru
ehnutidalvchedu.ru
ejoingrespubldpl.ru
ergopets.com
ermitajohrmited.ru
ghroumingoviede.ru
gnunirotniviepj.ru
gondatskenbiehu.ru
gromimolniushed.ru
gurieojgndieoj.ru
jetaqua.com
joinproportio.com
multipliedfor.com
nipiel.com
oxfordxtg.net
oydahrenlitutskazata.ru
pc-liquidations.net
planete-meuble-pikin.com
pnpnews.net
profurnituree.com
reportingglan.com
rmacstolp.net
safe-browser.biz
safe-time.net
smartsecurityapp2013.com
televisionhunter.com
teszner.net
theislandremembered.com
trleaart.net
usforclosedhomes.net
winne2000.net
winudpater.com
ww2.condalinneuwu5.ru
ww2.gnunirotniviepj.ru
www.condalinarad72234652.ru


3 comments:

Unknown said...

what does recommended block list mean?

Conrad Longmore said...

@Steve: domains and IPs to block at your network perimeter or with whatever filtering mechanism you have.. if you have one! It's the sort of thing that network admins would do.. if you're at home that it's probably too tricky.

Unknown said...

Serving Blackhole Exploit kit with "Cridex" malware