January 15, 2013An ADP Malware Lure
Payroll is one of the most important parts of any multi-employee business. It can also be a regulatory nightmare. It's fairly common, then, for businesses large and small to contract out the job to third parties. One well-known firm that handles payroll and other human resources tasks is ADP. Writing or authorizing payroll checks means direct access to at least one corporate bank account by at least one person in the company. If a company relies on ADP to manage payroll and issue checks, then the person responsible for communicating with ADP will certainly pay attention to an email that purports to originate from ADP.
And thus we come to a bogus email campaign spreading today. The message is all up in the recipient's face about an update intended to fight fraud. Here is the message:
Although there is a little bit of confusion about downloading and an attachment, I can easily envision an unwary recipient ADP customer opening the 2013 Anti-Fraud Secure Update.zip attachment. Since the computer being used to manage the ADP relationship is likely used for other financial transactions in the company, the malware that gets loaded from the attachment (and subsequent ownership by the trojan thus installed) means that login credentials will soon be lifted and accounts cleaned out.
Even if you're not an ADP customer, curiosity will kill login credentials for all types of sites you visit. The slurping sound you hear is your high-value accounts being drained.
Sadly, this particular file has, at this hour, a very low AV detection rate (7 of 46) at VirusTotal. My own computer's Sophos AV software does not yet recognize it as being hazardous.
As usual, the best defense against this kind of attack is 100% suspicion of any email message claiming to come from a web site where you have an account — especially financial sites and shopping sites where your credit card is on file. Always use pre-existing bookmarks to visit a site if you receive some kind of warning or alert from that site via email. If there is a genuine problem with your account (highly unlikely), you'll learn about it at login time.