Urgent Alert: Phisher Targets ADP subscribers

Fortunately for me Norton Internet Security 2012 trapped three e-mails this morning.   Each was supposedly sent from ADP.  But they got sent immediately into Junk/Spam folder.  Nice catch Norton....

The reason I'm writing about this is to make sure other folks know about nasty phishing scheme by e-scammers.  

Recent trends have shown phishers are now targeting narrower segments of users by referencing small institutions in their e-mail.  Like today's email, you may find a very legit e-mail address.  

I'm not the only one that got targeted today Scam Expert on Blogspot.com.  Actually his e-mail was even more aggressive since it was requesting a transfer of funds immediately to cover the payroll account.  Naturally the aim was to get a wire of large funds from the unsuspected recipient into the scammers' offshore account.
 
The trick is to not click on the malicious links they embed in the email.

This is what you might see in your InBox - Notice the links are not exposed; read on below to see what's under the hood of this vehicular scam and run. 

Here's the raw text with the links in red (altered slightly so that you won't accidentally click from here) :

 


ADP Security Management Update

Reference ID:  70345



Dear ADP Client                                                                                                   June 2012

     

This message is to inform you of the upcoming ?Phase 2? enhancement to ADP Security Management (formally ADP Netsecure).  This is where you manage your users? access to ADP?s Internet services, and includes the self-service registration process. 

 Effective June 9th, ADP Security Management will reflect a new user interface.  This will include tasks such as Account Maintenance, User Maintenance, and Company Maintenance within Security Management. 


Please review the following information:

?         Click here   to view more details of the enhancements in Phase 2

?         Complete the What?s New in Security Management Service here <messenia.com/100mbY7P20E/index.html>  (Expected to take about 15 minutes)

?         View the Supported Browsers and Operating Systems, listed here . These are updated to reflect more current versions to ensure proper presentation of the updated user interface.  It is important to note that the new ADP Security Management is best accessed using Microsoft Internet Explorer Version 8 or Mozilla Firefox Version 3.6, at minimum.

 This email was sent to active users in your company that access ADP Netsecure with a security role of ?security master? or ?security admin?.  You may have other users that also access ADP Netsecure with other security roles.  Please inform those users of these enhancements, noting that the above resources will have some functionality that does not apply to their role.


As always, thank you for choosing ADP as your business partner! If you have any questions, please contact your ADP Technical Support organization.

Ref: 0609 MSAMALONIS1@TWNSHP

 

[This message and any attachments are intended only for the use of  the addressee and may contain information that is privileged and confidential. If the reader of the message is not the intended recipient or an authorized representative of the intended recipient, you are hereby notified that any dissemination of this communication is strictly prohibited. If you have received this communication in error, notify the sender immediately by return email and delete the message and any attachments from your system.]

 

Cherry Hill Township provides a secure environment for all information concerning our residents and all other business concerns. The information contained in this email is intended only for the individual(s) addressed in the message and may contain privileged and/or confidential information that is exempt from disclosure under applicable law.

Cherry Hill Township provides a secure environment for all information concerning our residents and all other business concerns. The information contained in this email is intended only for the individual(s) addressed in this message and may contain privileged and/or confidential information that is exempt from disclosure under applicable law.

In examining the e-mail meta data I discovered each of the three came from three separate IP addresss.   In case you want to view a little of this meta data, here's an edited example.   (Edited to remove identifiers particular to my accounts and services)

 Return-path:
Envelope-to: my email address
Delivery-date: Thu, 28 Jun 2012 13:30:02 -0400
Received: from impinc01.yourhostingaccount.com ([10.x.xxx.xxx] helo=impinc01.yourhostingaccount.com)
    by mailscan21.yourhostingaccount.com with esmtp (Exim)
    id 1SkIXa-0006Df-3o
    for my email address; Thu, 28 Jun 2012 13:30:02 -0400
Received: from 187-13-8-252.user.veloxzone.com.br ([177.47.134.243])
    by impinc01.yourhostingaccount.com with NO UCE
    id TtU11j02n5FF4s102tU2un; Thu, 28 Jun 2012 13:28:04 -0400
X-EN-OrigIP: 177.47.134.243
X-EN-IMPSID: TtU11j02n5FF4s102tU2un
Received: from [93.182.156.28] (account ADP_FSA_Services@ADP.com HELO ivsaqu.gitjhp.com)
    by 187-13-8-252.user.veloxzone.com.br (CommuniGate Pro SMTP 5.2.3)
    with ESMTPA id 303803475 for vmarechal@marshallassocs.com; Thu, 28 Jun 2012 14:29:58 -0300
Date:    Thu, 28 Jun 2012 14:29:58 -0300
From:    "ADPClientServices@adp.com"
X-Mailer: The Bat! (v3.5.30) Educational
X-Priority: 3 (Normal)
Message-ID: <9965831373.C5Z7AFUK487211@bmqtgofohjkyro.akufuqowzpxyz.biz>
To:
Subject: [Norton AntiSpam]ADP Security Management Update
MIME-Version: 1.0
Content-Type: multipart/alternative;
  boundary="----------2871472B85EFCC7"

My conclusion: these bad guys have assembled a 'bot' network of typically unsuspected "white hat" locations to elude immediate exposure.  


Basically, besides being skeptical, you protect yourself by keeping your anti-virus and your operating system up to date.