Sponsored by..

Wednesday, 12 November 2014

"ADP Past Due Invoice#39911564" spam

I haven't seen ADP-themed spam for a very long time, mostly because it gets filtered into a deep dark hole that even I can't see into.

From: billing.address.updates@ADP.com [mailto:billing.address.updates@ADP.com]
Sent: 12 November 2014 16:28
Subject: ADP Past Due Invoice#39911564

 Your ADP past due invoice is ready for your review at ADP Online Invoice Management .

 If you have any questions regarding this invoice, please contact your ADP service team at the number provided on the invoice for assistance.

 Please note that your bank account will be debited within one banking business day for the amount(s) shown on the invoice.

Review your ADP past due invoice here.

 Important: Please do not respond to this message. It comes from an unattended mailbox.
Most of the ones that I have seen are malformed and instead of a link they just say <html> which is one reason that it is getting through the spam filter. I have seen one live one, leading to [donotclick]www.bingemann-buerosysteme.de/services/invoice1211.php

This downloads a ZIP file invoice1211_pdf28.zip which in turn contains a malicious executable invoice1211_pdf.exe which has a VirusTotal detection rate of 6/54.

It then contacts the following URLs according to the Malwr report:
http://188.165.206.208:30083/1211uk1/HOME/0/51-SP3/0/
http://188.165.206.208:30083/1211uk1/HOME/1/0/0/
http://shahlart.com/miniuk1.pmg
http://mboaqpweuhs.com/mhninqiiifrd3ku
http://mboaqpweuhs.com/nt09kq47fv6k0

Recommended blocklist:
188.165.206.208
shahlart.com
mboaqpweuhs.com

5 comments:

Unknown said...

Thanks! This is great info. The one sample I have been able to obtain of the email has malformed links, so your link was useful for testing. Do you have any other live samples that have different links/executables?

Sharkeyfinn said...

Here is what I received a few moments ago in my e-mail folder. It has the links I think you are looking for. I hope this helps.


Your ADP past due invoice is ready for your review at ADP Online Invoice Management .

If you have any questions regarding this invoice, please contact your ADP service team at the number provided on the invoice for assistance.

Please note that your bank account will be debited within one banking business day for the amount(s) shown on the invoice.

Review your ADP past due invoice here.

Important: Please do not respond to this message. It comes from an unattended mailbox.

Sharkeyfinn said...

***SPAM*** ADP Past Due Invoice#14355998

Sharkeyfinn said...

the links do not copy

Unknown said...

Thanks for trying. When forwarding the email to a gmail account the links are removed, so maybe google is onto this one!

I am testing different combinations of solutions for AV/malware blocking, and wanted more samples of a fresh cryptovirus build to swing at them.