Sponsored by..

Thursday, 8 August 2013

eFax / jConnect spam and eliehabib.com

This fake fax spam leads to malware on eliehabib.com:

Date:      Wed, 7 Aug 2013 13:05:22 -0600 [15:05:22 EDT]
From:      Fax Message [message@inbound.efax.com]
Subject:      Fax Message at 2013-08-07 01:54:34 EST

Blue Bar
Fax Message

You have received 4 fax page(s) at 2013-08-07 01:54:34 EST.

* The reference number for this fax is wlmt_bgp85-3506454489-3878764215-49.
* The transmission start time for this fax is .

Click here to view this message in your web browser
Please visit http://www.j2.com/help if you have any questions regarding this message or your j2 service.

Thank you for using jConnect!
Powered by j2

2013 j2 Global Communications, Inc. All rights reserved.
jConnect is a registered trademark of j2 Global Communications, Inc.

This account is subject to the terms listed in the jConnect Customer Agreement.
The link in the email goes through a legitimate hacked site and then on to three scripts as follows:

From then on the victim is sent to a payload site at [donotclick]eliehabib.com/topic/seconds-exist-foot.php which is a hacked domain registered by GoDaddy, hosted on (Gandi, US). There are probably other malicious domains that I cannot see on the same server.

Recommended blocklist:

No comments: