Monday, December 1, 2014

Detailed analysis of an ADP Invoice Phishing Attempt - The email

In this 6 part series, we will analyze a recent phishing attempt through an email which was sent to me. In this first post we will look at the email and try to analyze it to see what we can learn. The text in red represent where the hyperlink was embedded.

---- Start of email ----

From: []
Sent: Wednesday, November 12, 2014 10:33 AM
Subject: ADP Past Due Invoice#91683353

Your ADP past due invoice is ready for your review at ADP Online Invoice Management .

If you have any questions regarding this invoice, please contact your ADP service team at the number provided on the invoice for assistance.

Please note that your bank account will be debited within one banking business day for the amount(s) shown on the invoice.

Review your ADP past due invoice here.
Important: Please do not respond to this message. It comes from an unattended mailbox

---- End of email ----

Analysing the email
The first sign that something was wrong here was link in the email. The embedded link was "". Now if this was related to ADP, I would expect to see something actually related to ADP. However, in this case there was absolutely nothing which suggested this came from ADP. They could have at least put a nice signature at the bottom :-)
Clicking the link

First I loaded up a VM running Linux and not much happened. It simply read this page was under construction. As a result, my belief is this is more targeted to systems running Microsoft Windows or at least browsers emulating Windows in their User-Agent.

Next I Load up a Windows 8 VM and have Wireshark running in the background. Once I clicked the link, a message appeared stating "Please read the document". At least this malicious actor was nice, he/she said "Please" :-). Along with the message a window popped up asking to "SAVE" or "OPEN". I choose to save.

In post 2, we will analyze the packet capture which was running in the background.

.pcap and .zip files from my analysis. Please note, in no way am I responsible for any damage caused to your computer and or other devices as a result of using these files.

adp.pcap - 4cfd352a3c890873d20a33d35fffed25 - 05fc7646cf11b6e7fb124782daf9fb53 

No comments:

Post a Comment