Debunking email hoaxes and exposing Internet scams since 2003!

Hoax-Slayer Logo Hoax-Slayer Logo

Home    About    New Articles    RSS Feed    Subscriptions    Contact
Bookmark and Share

Issue 141 - October 2012 (2nd Edition) - Page 1

ADP 'Transaction Reports' Malware Email

Issue 141 Start Menu

Next Article

Email purporting to be from payroll company ADP claims that the recipient's bank account will be debited for the amount shown on a transaction report that can be viewed by clicking a link in the message.

Brief Analysis
The message is not from ADP. The link in the message opens a compromised website that automatically redirects users to other webpages that harbour versions of the infamous BlackHole Exploit Kit malware. Details in these malware emails can vary considerably. If you receive one of these fake ADP emails, do not click on any links that it contains.

Bookmark and Share

Last updated: October 15, 2012
First published: October 15, 2012
Article written by Brett M. Christensen
Research by Matthew Christensen, Brett Christensen
About Brett Christensen and Hoax-Slayer


From: ADP Client Services
Subject: Debit Draft

Your Transaction Report(s) have been uploaded to the web site:

[Link Removed]

Please note that your bank account will be debited within one banking business day for the amount(s) shown on the report(s).

Please do not respond or reply to this automated e-mail. If you have any questions or comments, please Contact your ADP Benefits Specialist.

Thank You,
ADP Benefit Services

Detailed Analysis
This email, which purports to be from "Client Services" at well-known payroll and business solutions company ADP, claims that the recipient's bank will be deducted for the amount shown on a transaction report within one business day. The recipient is invited to click a link in the email in order to view the transaction report on the ADP website.

However, the email is not from ADP nor is the recipient's account set to be debited as claimed. In fact, the link in the message leads, not to an ADP transaction report as expected, but rather to a site that contains malware. Those responsible for the message hope to panic recipients into clicking the link without due forethought because they mistakenly believe that money will be taken from their bank account. Existing ADP clients may click the link in the belief that they will get to view a genuine ADP transaction report. Non ADP customers may click the link in the belief that an error has been made that they need to rectify as soon as possible. Either way, the scammers achieve their goal of enticing users to click their bogus link.

Those who do click the link will be taken to a webpage that displays the message "Connecting to server....". The page will then redirect to another webpage that harbours malware. In this campaign, the malware appears to be a version of the criminal toolkit known as the BlackHole Exploit Kit. BlackHole is a web application used by criminals to exploit browser vulnerabilities as a means of downloading and installing trojans and other types of malware.

In recent months, another malware campaign targetted payroll processing company Intuit via similar scam emails that also claimed money would be deducted from the recipient's bank account. And ADP itself has been targeted several times before in malware campaigns. One recent variant claimed that users were required to click a link to renew their ADP Digital Certificate. Another version claimed that users needed to click a link to find out more about a supposed ADP Security Management Update.

Be cautious of any email that claims to be from ADP that instructs you to click a link to review or update information. If you receive such an email, do not click any links or open any attachments that it may contain.


Blackhole Exploit Kit (BHEK) continues to appear in new emails formats each day
BlackHole Exploit Kit
Intuit "Payroll Processing Request" Malware Email
ADP Spam Campaigns are in the Wild
Fake ADP Funding Notifications and Security Updates Used to Spread Malware

Next Article

Issue 141 Start Menu

Pages in this issue:
  1. ADP 'Transaction Reports' Malware Email
  2. Facebook 'Virus' Warning Message - Album 92
  3. Dubious Facebook 'Security Alert' - Obama Nation Hackers
  4. Johnny Depp is NOT Dead
  5. Social Media Rumours Falsely Claim Fidel Castro is Dead
  6. Justin Bieber Stolen Laptop and Camera - Sex Tape Rumours
  7. 'Interested in Using Your Photo for Pepsi Ad' - Money Laundering Scam
  8. Hoax - Obama's Cook County Correctional Center
  9. NatWest 'Customer Satisfaction Survey' Phishing Scam
  10. Facebook Survey Scam - 'Drunk 17 Year Old Caught on Tape'
  11. Facebook's Promoted Posts Program for Users Causing Confusion
  12. 'Little Dead Girl Clarissa' Warning - Nasty and Violent Internet Chain Letter
  13. Hoax Warning Message - 'National Kill A Pit Bull Day'
  14. Yorkshire Building Society - Egg Account Transfer Phishing Scam
  15. Skype 'Password Successfully Changed' Scam Email
  16. Michael Vick Did NOT Break His Legs in a Car Accident