Thursday, 15 August 2013


A facsimile transmission. How quaint. Of course, it isn't.. the link in the spam goes to a malicious page on

From:     Administrator [administrator@victimdomain]
Date:     15 August 2013 16:08
Subject:     INCOMING FAX REPORT : Remote ID: 1043524020

*********************************************************INCOMING FAX REPORT*********************************************************Date/Time: 07/25/2013 02:12:11 ESTSpeed: 66387 bpsConnection time: 04:06Pages: 0Resolution: NormalRemote ID: 1043524020Line number: 7DTMF/DID:Description: June PayrollClick here to view the file online*********************************************************


Date/Time: 07/25/2013 02:12:11 EST
Speed: 66387 bps
Connection time: 04:06
Pages: 0
Resolution: Normal
Remote ID: 1043524020
Line number: 7
Description: June Payroll

Click here to view the file online

Note that the spam appears to come "from" the "Administrator" in the victim's own domain. This email address is a forgery, so don't worry about it. If you are daft enough to click the link in the email you go to a legitimate hacked site and then on to one of three scripts:

from there on, the victim is forwarded to a malicious landing page at [donotclick] using a hacked GoDaddy domain on (Gandi, US). There are other hijacked GoDaddy domains on the same server (listed in italics below):

Recommended blocklist:

No comments: