Sponsored by..

Showing posts with label Fax Spam. Show all posts
Showing posts with label Fax Spam. Show all posts

Wednesday 17 September 2014

"You've received a new fax". No you haven't, you've received a new bit of malware.

This tired old spam format comes with warmed-over malware attachment.
From:     Fax [fax@victimdomain.com]
Date:     17 September 2014 09:32
Subject:     You've received a new fax

New fax at SCAN6405035 from EPSON by https://victimdomain.com
Scan date: Wed, 17 Sep 2014 16:32:29 +0800
Number of pages: 2
Resolution: 400x400 DPI

You can secure download your fax message at:

http://estudiocarraro.com.br/hpmdkvpvge/hljaejzkql.html

(Google Disk Drive is a file hosting service operated by Google, Inc.)
The link in the email downloads an archive file Message_Document_pdf.zip from the same estudiocarraro.com.br site. This has a VirusTotal detection rate of 3/54. The ThreatTrack report shows that the malware attempts to phone home to:

denis-benker.de/teilen/1709uk1.hit
188.165.204.210/1709uk1/NODE01/0/51-SP3/0/
188.165.204.210/1709uk1/NODE01/1/0/0/
188.165.204.210/1709uk1/NODE01/41/5/4/

Recommended blocklist:
188.165.204.210
denis-benker.de
estudiocarraro.com.br


Tuesday 16 September 2014

"You've received a new fax" spam

Somebody has sent me a facsimile transmission. How quaint.
From:     Fax
Date:     16 September 2014 11:05
Subject:     You've received a new fax

New fax at SCAN0204102 from EPSON by https://victimdomain
Scan date: Tue, 16 Sep 2014 15:35:59 +0530
Number of pages: 2
Resolution: 400x400 DPI

You can download your fax message at:

http://ngujungwap.mobi.ps/sgfyzdptdc/gotmvoeqkk.html

(Google Disk Drive is a file hosting service operated by Google, Inc.)
The link is so obviously not anything to do with Google. Clicking on it loads another script from triera.biz.ua/twndcrfbru/zjliqkgppi.js which in turn downloads a ZIP file from www.yerelyonetisim.org.tr/pdf/Message_2864_pdf.zip which has a VirusTotal detection rate of 3/55.

This malware then phones home to the following locations, according to this ThreatTrack report:

188.165.204.210/1609uk4/NODE01/0/51-SP3/0/
188.165.204.210/1609uk4/NODE01/1/0/0/
188.165.204.210/1609uk4/NODE01/41/5/4/
brisamarcalcados.com.br/css/1609uk4.lim

Recommended blocklist:
188.165.204.210
brisamarcalcados.com.br
triera.biz.ua
yerelyonetisim.org.tr
ngujungwap.mobi.ps


Thursday 11 September 2014

eFax spam leads to Cryptowall

Yet another fake eFax spam. I mean really I cannot remember the last time someone sent me a fax. What's next? "Someone has sent you a telegram"?

From:     eFax [message@inbound.efax.com]
Date:     11 September 2014 20:35
Subject:     eFax message from "unknown" - 1 page(s), Caller-ID: 1-865-537-8935

Fax Message [Caller-ID: 1-865-537-8935
You have received a 1 page fax at Fri, 12 Sep 2014 02:35:44 +0700.

* The reference number for this fax is atl_did1-1400166434-52051792384-154.

Click here to view this fax using your PDF reader.

Please visit www.eFax.com/en/efax/twa/page/help if you have any questions regarding this message or your service.

Thank you for using the eFax service!

       

j2 Global | eFax | eVoice | FuseMail | Campaigner | KeepItSafe | OneBox

2014 j2 Global, Inc. All rights reserved.
eFax is a registered trademark of j2 Global, Inc.

This account is subject to the terms listed in the eFax Customer Agreement.
I bet you've already guessed that the link in the message goes somewhere bad, in this case it downloads a ZIP files from cybercity-game.com/game/Documents.zip which unzips to a malicious executable Documents.scr which has a pretty low VirusTotal detection rate of 2/55.

The ThreatTrack report clearly identifies this as Cryptowall and identifies that it either downloads data from or posts data to the following locations:

188.165.204.210/1109inst2/NODE01/0/51-SP3/0/
188.165.204.210/1109inst2/NODE01/1/0/0/
mtsvp.com/files/3/install2.tar
suspendedwar.com/87n3hdh5wi04gy
suspendedwar.com/ttfvku8z7jn
goodbookideas.com/wp-content/themes/twentyeleven/111.exe
suspendedwar.com/gwfqwaratrpl2c
suspendedwar.com/h0nxfsskh0xu
suspendedwar.com/kvlfhc0hjgo6sgo



The 111.exe has a much wider detection rate of 22/53 and according the the ThreatTrack analysis of that binary there is some sort of network connection to the following IPs:

193.169.86.151
193.19.184.20

Overall, the web hosts involved are:
46.151.145.11 (Swift Trace Ltd, Crimea)
50.63.85.76 (GoDaddy, US)
76.74.170.149 (Daiger Sydes Gustafson LLC / Peer 1, US)
188.165.204.210 (OVH, France)
193.19.184.20 (PE Intechservice-B, Ukraine)
193.169.86.151 (Ivanov Vitaliy Sergeevich, Ukraine)

I would recommend blocking the following:
188.165.204.210
193.19.184.20
193.169.86.151
goodbookideas.com
mtsvp.com
suspendedwar.com


Friday 1 August 2014

"Corporate eFax message from "unknown" - 3 page(s)" spam

This somewhat mangled spam has a malicious attachment:

Date:      Fri, 1 Aug 2014 09:45:45 -0700 [12:45:45 EDT]
From:      eFax Corporate [message@inbound.efax.com]
Subject:      Corporate eFax message from "unknown" - 3 page(s)

You have received a 3 page fax             at 2014-08-01 10:55:05. * The
reference number for this fax is p2_did1-4724072401-8195088665-159.       Thank you for
using the eFax Corporate service!        2014 j2 Global, Inc. All rights reserved. eFax
Corporate is a registered trademark of j2 Global, Inc. This account is subject to the
terms listed in the         eFax Corporate Customer Agreement.  

Attached is an archive file Fax_912_391233111_941.zip which in turn contains a malicious executable Fax_912_391233111_941.scr which has a VirusTotal detection rate of 10/54.

The Comodo CAMAS report shows the malware reaching out to the following locations:

94.23.247.202/0108us1/SANDBOXA/0/51-SP2/0/
94.23.247.202/0108us1/SANDBOXA/1/0/0/
theyungdrungbon.com/wp-includes/images/0108us1.zip
101romanticcheapdates.com/wp-includes/images/0108us1.zip

Recommended blocklist:
94.23.247.202
theyungdrungbon.com
101romanticcheapdates.com

Thursday 31 July 2014

"New fax" spam using goo.gl shortening service

Here are a couple of variations of a fax spam using the goo.gl shortening service:

From:     Fax [fax@victimdomain]
Date:     31 July 2014 11:23
Subject:     You've received a new fax

New fax at SCAN5735232 from EPSON by https://victimdomain
Scan date: Thu, 31 Jul 2014 19:23:11 +0900
Number of pages: 2
Resolution: 400x400 DPI

You can download your fax message at:

https://goo.gl/1rBYjl

(Google Disk Drive is a file hosting service operated by Google, Inc.)

------------------------------

From:     FAX [fax@qcom.co.uk]
Reply-to:     FAX [fax@qcom.co.uk]
 fax@localhost
Date:     31 July 2014 10:53
Subject:     You have received a new fax message

You have received fax from EPS76185555 at victimdomain
Scan date: Thu, 31 Jul 2014 16:53:10 +0700
Number of page(s): 2
Resolution: 400x400 DPI

Download file at google disk drive service - dropbox.

https://goo.gl/t8jteI

_________________________________
File is scanned image in PDF format.
Adobe(A) Reader(R) can be downloaded from the following URL: https://www.adobe.com/
There seems to be an uptick of goo.gl spam.. if you receive something like this you can report it to goo.gl/spam-report as malware.

I've seen three different URLs:
goo.gl/1rBYjl
goo.gl/t8jteI
goo.gl/RmGnbr


These lead to the following download locations:
pinkfeatherproductions.com/wp-content/uploads/2014/06/Document-95722.zip
autoescuelajoaquin.com/images/Document-95722.zip

esys-comm.ro/images/Document-95722.zip

Obviously, this is a ZIP file. It contains a malicious executable Document-95722.scr which has a VirusTotal detection rate of just 1/54. The CAMAS report shows that the malware reaches out to the following locations to download further components:
andribus.com/images/images.rar
owenscrandall.com/images/images.rar


Incidentally, if you add a "+" to the end of the goo.gl URL you can see how many people have clicked through. For example:



164 clicks isn't a lot, but there are multiple URLs in use.

Recommended blocklist:
andribus.com
owenscrandall.com
esys-comm.ro
autoescuelajoaquin.com
pinkfeatherproductions.com

Friday 25 July 2014

"eFax message" spam

Another tired old spam template leading to malware..

From:     eFax Corporate [message@inbound.efax.com]
Date:     25 July 2014 14:25
Subject:     eFax message - 4 pages

Fax Message [Caller-ID: 948-468-7596]

You have received a 4 pages fax at 2014-07-25 13:24:21 GMT.

* The reference number for this fax is latf1_did11-1187609582-1911573644-58.

View this fax using your PDF reader.

Click here to view this message

Please visit www.eFax.com/en/efax/twa/page/help if you have any questions regarding this message or your service.

Thank you for using the eFax service!
Home | Contact | Login |
Powered by j2

2014 j2 Global Communications, Inc. All rights reserved.
eFax is a registered trademark of j2 Global Communications, Inc.

This account is subject to the terms listed in the eFax Customer Agreement.

In this case the link in the email goes to verzaoficial.com/css/fax_390392029_072514.exe which downloads a file with a VirusTotal detection rate of just 1/45. Automated analysis [pdf] is fairly inconclusive as to what it does.

Wednesday 16 July 2014

"You've received a new fax" / "You have a new Secure Message" spam

This pair of spam messages leads to a malicious ZIP file downloaded via goo.gl (and not Dropbox as the spam says)

From:     Fax [fax@victimdomain]
Date:     16 July 2014 16:12
Subject:     You've received a new fax

New fax at SCAN7905518 from EPSON by https://victimdomain
Scan date: Wed, 16 Jul 2014 23:12:29 +0800

Number of pages: 2
Resolution: 400x400 DPI

You can download your fax message at:

https://goo.gl/8AanL9

(Dropbox is a file hosting service operated by Dropbox, Inc.)

-------------

From:     NatWest [secure.message@natwest.com]
Date:     16 July 2014 14:47
Subject:     You have a new Secure Message

You have received a encrypted message from NatWest Customer Support

In order to view the attachment please open it using your email client ( Microsoft Outlook, Mozilla Thunderbird, Lotus )

Please download your ecnrypted message at:

https://goo.gl/8AanL9


(Dropbox is a file hosting service operated by Dropbox, Inc.)


If you have concerns about the validity of this message, please contact the sender directly. For questions please contact the NatWest Bank Secure Email Help Desk at 0131 556 4612.
I have seen three goo.gl URLs leading to three different download locations, as follows

https://goo.gl/1dlcL3 leads to
http://webbedenterprisesinc.com/message/Document-6936124.zip

https://goo.gl/8AanL9 leads to
http://rollermodena.it/Document-2816409172.zip

https://goo.gl/pwgQID leads to
http://www.vetsaudeanimal.net/Document-9879091.zip

In all cases, the ZIP file contains a malicious .scr with the same name as the ZIP (e.g. Document-6936124.scr). The file is the same in all three locations and has a VirusTotal detection rate of exactly 0/54. The Malwr report shows that this then downloads components form the following locations (hosted by OVH France):
http://94.23.247.202/1607h/HOME/0/51Service%20Pack%203/0/
http://94.23.247.202/1607h/HOME/1/0/0/


An executable esoez.exe is then dropped onto the target system with a marginally better VT detection rate of 1/54. The Malwr report for that is inconclusive.

Recommended blocklist:
94.23.247.202
vetsaudeanimal.net
rollermodena.it
webbedenterprisesinc.com

Thursday 29 May 2014

More eFax / Dropbox malware spam

This fake eFax message downloads malware from Dropbox, similar to yesterday's attack but with different binaries:

From:     Incoming Fax [no-reply@efax.co.uk]
Date:     29 May 2014 10:26
Subject:     INCOMING FAX REPORT : Remote ID: 499-364-9797

*********************************************************
INCOMING FAX REPORT
*********************************************************

Date/Time: Thu, 29 May 2014 18:26:56 +0900
Speed: 4360bps
Connection time: 07:09
Pages: 9
Resolution: Normal
Remote ID: 915-162-0353
Line number: 0
DTMF/DID:
Description: Internal report

We have uploaded fax report on dropbox, please use the following link to download your file:

https://www.dropbox.com/meta_dl/[redacted]
The malicious download is from [donotclick]www.dropbox.com/meta_dl/eyJzdWJfcGF0aCI6ICIiLCAidGVzdF9saW5rIjogZmFsc2UsICJzZXJ2ZXIiOiAiZGwuZHJvcGJveHVzZXJjb250ZW50LmNvbSIsICJpdGVtX2lkIjogbnVsbCwgImlzX2RpciI6IGZhbHNlLCAidGtleSI6ICJvempiZ256bDM2aGRlMTgifQ/AAKxr3bqwwmIfwE_cp_xalkzMz7tKRtiivmPhViZTBLBkA?dl=1 which is an archive file FAX-21651_7241.zip which in turn contains the malicious executable FAX-21651_7241.scr

This binary has a VirusTotal detection rate of 6/53 and the Malwr report shows that it downloads a file from soleilberbere.com/images/2905UKdw.tar which subsequently drops a file eucis.exe with a VirusTotal detection rate of just 3/51. Automated reports [1] [2] are pretty inconclusive as to what this does.

Wednesday 28 May 2014

eFax message from "unknown" spam downloads malware from Dropbox

This fake eFax message downloads malicious content from a Dropbox link.

From:     eFax [message@inbound.efax.com]
Date:     28 May 2014 13:12
Subject:     eFax message from "unknown" - 1 page(s), Caller-ID: 1-949-698-5643

Fax Message [Caller-ID: 1-949-698-5643
You have received a 1 page fax at Wed, 28 May 2014 09:11:44 GMT.

* The reference number for this fax is atl_did1-1400166434-95058563842-154.

Click here to view this fax using your PDF reader.

Please visit www.eFax.com/en/efax/twa/page/help if you have any questions regarding this message or your service.

Thank you for using the eFax service!

       

j2 Global | eFax | eVoice | FuseMail | Campaigner | KeepItSafe | OneBox

2014 j2 Global, Inc. All rights reserved.
eFax is a registered trademark of j2 Global, Inc.

This account is subject to the terms listed in the eFax Customer Agreement.
The telephone number will vary from spam-to-spam, but the download link seems consistent and is [donotclick]dl.dropboxusercontent.com/s/uk0mlaixvbg52g2/Fax_938_391102933_1245561.zip?dl=1&token_hash=AAEUA5cH_mfvkp4l4CePv7t100XZKo4GBq6ZxY1UiElKyQ&expiry=1401269894 which leads to a ZIP file Fax_938_391102933_1245561.zip which unzips to a malicious executable Fax_938_391102933_1245561.scr.

This binary has a VirusTotal detection rate of 6/53. Automated reporting tools [1] [2] show a download from landscaping-myrtle-beach.com/wp-content/uploads/2014/05/2805UKdw.dkt which in turn drops the following files:
This last one makes a connection to innogate.co.kr for unknown reasons.

Recommended blocklist:
landscaping-myrtle-beach.com
innogate.co.kr





Friday 31 January 2014

"Windsor Telecom Fax2Email" spam

Another day, another fake Fax spam with a malicious payload:

Date:      Fri, 31 Jan 2014 10:00:23 +0000 [05:00:23 EST]
From:      Windsor Telecom Fax2Email [no-reply@windsor-telecom.co.uk]
Subject:      Fax Message on 08983092722 from

FAX MESSAGEYou have received a fax on your fax number: 08983092722 from.The fax is
attached to this email.PLEASE DO NOT REPLY BACK TO THIS MESSAGE. 
Attached is an archive file FAX MESSAGE.ZIP which in turn contains a malicious executable FAX MESSAGE.EXE with a VirusTotal detection rate of 4/50. Well, I say malicious but both Malwr and Anubis report that the payload does not execute properly, however that might just be an issue with those particular sandboxes and it does not mean that it will fail to run on all systems.

Wednesday 30 October 2013

"Corporate eFax message" spam / bulkbacklinks[.]com and Xeex.com

Oh my, do people really fall for this "Corporate eFax message" spam? Apparently people do because the spammers keep sending it out.

Date:      Wed, 30 Oct 2013 23:33:23 +0900 [10:33:23 EDT]
From:      eFax Corporate [message@inbound.efax.com]
Subject:      Corporate eFax message from "673-776-6455" - 2 pages

Fax Message [Caller-ID: 673-776-6455] You have received a 2 pages fax at 2013-30-10
02:22:22 CST.* The reference number for this fax is
latf1_did11-1995781774-8924188505-39.View this fax using your PDF reader.Please visit
www.eFax.com/en/efax/twa/page/help if you have any questions regarding this message or
your service.Thank you for using the eFax service!Home | Contact | Login | 2013 j2 Global
Communications, Inc. All rights reserved.eFax is a registered trademark of j2 Global
Communications, Inc.This account is subject to the terms listed in the eFax Customer
Agreement.

-----------------------

Date:      Wed, 30 Oct 2013 10:04:50 -0500 [11:04:50 EDT]
From:      eFax Corporate [message@inbound.efax.com]
Subject:      Corporate eFax message from "877-579-4466" - 5 pages

Fax Message [Caller-ID: 877-579-4466] You have received a 5 pages fax at 2013-30-10
05:55:55 EST.* The reference number for this fax is
latf1_did11-1224528296-8910171724-72.View this fax using your PDF reader.Please visit
www.eFax.com/en/efax/twa/page/help if you have any questions regarding this message or
your service.Thank you for using the eFax service!Home | Contact | Login | 2013 j2 Global
Communications, Inc. All rights reserved.eFax is a registered trademark of j2 Global
Communications, Inc.This account is subject to the terms listed in the eFax Customer
Agreement. 
Attached to the message is a file FAX_10302013_1013.zip which in turn contains FAX_10302013_1013.exe (although the date is encoded into the filename so your version may be different) which has an icon that makes it look like a PDF file.

This has a very low detection rate at VirusTotal of just 1/46. Automated analysis tools [1] [2] [3] show an attempted connection to a domain bulkbacklinks.com on 69.26.171.187. This is part of the same compromised Xeex address range as seen here and here.

Xeex have not responded to notifications of a problem (apart from an AutoNACK). I recommend that you treat the entire 69.26.171.176/28 range as being malicious and you should block according to this list.