07 Aug 2012

Criminals Lure Companies with Counterfeit Notification E-mails from Payroll Service Firms


"One prominent example is ADP, whose website currently alerts their customers to four different samples of phishing emails that make the rounds and claim to be from ADP," SANS’s Daniel Wesemann writes in a blog post.

Automatic Data Processing (ADP) is a US provider of integrated computing and business outsourcing, including HR and payroll management with numerous clients around the world.

The rogue messages pretend to tell recipients that “the digital certificate [they] use to access ADP’s Internet services is about to expire.” They invite users to renew these certificates by accessing a URL indicated in the body of message.

In his blog post, Wesemann appears concerned that these e-mails can be received and the links can be accessed by HR and payroll employees which may translate into irrecoverable losses. “Combine the link with a nice fresh set of exploits that have near-zero detection in anti-virus, and you have a Get-Rich-Quick scheme for the crooks that's hard to beat.”

The links redirect users towards compromised sites that exploit vulnerabilities in old versions of browser plug-ins to further infect users’ systems with malware. One such exploit targets a Java vulnerability known as CVE-2012-1723.

Even though this vulnerability was patched by Oracle in June, it continues to be a great liability for users given the low detection rate of this exploit and the fact that a lot of people fail to update software regularly.

Wesemann includes in his post some defense tips for people who might be targets of this type of attack. First and foremost, users need to patch the Java vulnerability CVE-2012-1723. Employers should remind employees never to click on a link included in an e-mail even if the message seems to come from a legit sender. Every time they receive official notifications of any kind, they should call and check with the sender. As for the companies that use an outsourced payroll provider, they should ask for the e-mail logs to get familiarized with the authentic e-mail format.