Fake anti-virus attack spread via bogus ADP anti-fraud update emails

Graham Cluley
Graham Cluley
@[email protected]

ADP logoUsers are slowly getting the message that it is important to keep their computers updated with the latest security patches, with zero-day bugs in Internet Explorer and Java making the headlines with disturbing regularity.

The bad news is that online criminals can actually exploit increased awareness about security for their own malicious ends.

Take one current malware campaign, for instance, which has been spammed out widely posing as a security update from payroll processing company ADP.

The emails, which have subject lines including “ALERT! From ADP: 2013 Anti-Fraud Secure Update” and “2013 Anti-Fraud Secure Update”, have a ZIP file attached containing a malicious payload.

Sign up to our free newsletter.
Security news, advice, and tips.

Example malicious email. Click for a full, larger version

Part of the malicious email reads:


2013 Anti-Fraud Secure Update

Dear Valued ADP Client,

We are pleased to announce that ADP Payroll System released secure upgrades to your computer.

A new version of secure update is available.

Our development division strongly recommends you to download this software update.

It contains new features:

  • The certificate will be attached to the computer of the account holder, which disables any fraud activity
  • Any irregular activity on your account is detected by our safety centre

Download the attachment. Update will be automatically installed by double click.

We value our partnership with you and take pride in the confidence that you place in us to process payroll on your behalf. As always, your ADP Service Team is happy to assist with any questions you may have.

A regular computer user who has been following the security news about patches for Internet Explorer and Java might well think they’re being smart if they open the attachment… but the truth is that they will be falling straight into the malicious hackers’ trap.

Sophos products detect the malware contained inside the attached “2013 Anti-Fraud Secure Update.zip” file as Mal/FakeAV-OY, a fake anti-virus program.

If you’re running a firewall, it may block the fake anti-virus product’s attempt to connect with the outside world.

Windows firewall blocking the fake anti-virus

Fake anti-virus software, also known as scareware, commonly pops up spooky-looking warnings that a user’s computer is infected with malware, even though it does not. The software then offers to clean-up the infection, but demands payment first.

Of course, you’ve then given your credit card details to someone who has already proved themselves not above dirty tricks. Don’t be surprised if your problems have only just begun.

Check out this YouTube video, where Fraser Howard from our labs describes fake anti-virus software:


The lesson here is clear. It’s good to be interested in computer security, and to take notice of security warnings and the latest updates when they become available.

But you also need to check who is giving you the security advice.

Because if the person who is telling you to install a security update can’t be trusted, or isn’t who they claim to be, there’s a chance you could be heading into even bigger danger.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.