Sponsored by..

Showing posts with label eFax. Show all posts
Showing posts with label eFax. Show all posts

Tuesday 29 November 2016

Fake eFax spam uses hacked Sharepoint to spread malware

This fake fax leads to a malicious ZIP file:

From:    eFax [message@inbound-efax.org]
Date:    29 November 2016 at 16:01
Subject:    eFax message from "61 2 97855412" - 2 page(s)


Fax Message

You have received a 2 page fax at 11/29/2016 5:01:13 PM.

* The reference number for this fax is syd1_did12-5405183509-083357256-5.

Click here to view this fax message.

Please visit www.efax.com/en/online_fax_FAQ if you have any questions regarding this message or your service.

Thank you for using the eFax service!
Home     Contact     Login
Powered by j2

© 2012 j2 Global Communications, Inc. All rights reserved.
eFax® is a registered trademark of j2 Global Communications, Inc.

This account is subject to the terms listed in the eFax® Customer Agreement.


The link in the email goes to a hacked Sharepoint account, in this case:

https://supremeselfstorage-my.sharepoint.com/personal/andrew_supremeselfstorage_com_au/_layouts/15/guestaccess.aspx?guestaccesstoken=GTQPc%2brKLAsKHba4nXtvl0hXrBsUmCUxoYGuu9msk0U%3d&docid=0c4b96dfd3319496a8feb1a56d88de679&rev=1

It seems to belong to a legitimate company, but maybe one that has suffered an Office 365 compromise.

The ZIP file it leads to is named Fax_11292016.zip (there may be other versions) containing two identical scripts named

Fax_11292016_page1.js
Fax_11292016_page2.js

that look like this. Hybrid Analysis of the script indicates this is Nymaim, downloading a component from:

siliguribarassociation.org/images/staffs/documetns.png

A malicious EXE is dropped with an MD5 of bdf952b2388bf429097b771746395a4c and a detection rate of 9/56. The malware then phones home to:

stengeling.com/20aml/index.php

The domain stengeling.com appears to have been created for this malware and has anonymous registration details. It is apparently multihomed on the following IPs:

4.77.129.110
18.17.224.92
31.209.107.100
37.15.90.12
43.132.208.7
45.249.111.213
52.61.200.235
61.25.216.8
67.25.164.206
74.174.194.169
88.214.198.162
92.74.29.236
111.241.115.90
115.249.171.24
119.71.196.177
135.55.94.211
143.99.241.18
147.89.60.135
156.180.11.60
162.74.9.51
168.227.171.254
176.114.21.171
184.131.179.44
207.77.174.212

Each of those IPs appears to be a hacked legitimate host, with a high turnover of IPs. Those IPs appear to be associated with the following domains that may be worth blocking:

butestsis.com
sievecnda.com
specsotch.com
crileliste.com
stengeling.com


Wednesday 28 October 2015

Malware spam: eFax message from "Booking.com - HylaFa" - 1 page(s), Caller-ID: 031207944200

This fake fax spam comes with a malicious attachment:

From:    eFax [message@inbound.efax.com]
Date:    28 October 2015 at 10:08
Subject:    eFax message from "Booking.com - HylaFa" - 1 page(s), Caller-ID: 031207944200



eFax


Fax Message [Caller-ID: 031207944200]
You have received a 1 page fax at 2015-10-28 08:57:17 GMT.
* The reference number for this fax is lon1_did14-1445421403-1407880525-89.
View this fax using your Microsoft Word.
Please visit www.efax.com/en/online_fax_FAQ if you have any questions regarding this message or your service.
Thank you for using the eFax service!
Home     Contact     Login
Powered by j2
© 2013 j2 Global, Inc. All rights reserved.
eFax® is a registered trademark of j2 Global, Inc.
This account is subject to the terms listed in the eFax® Customer Agreement.



FAX_20151028_1445421437_89.doc
99K


The attachment FAX_20151028_1445421437_89.doc is the same as used in this spam run and the payload is the Dridex banking trojan.

Friday 17 July 2015

Malware spam: eFax message from "unknown" - 1 page(s), Caller-ID: 1-123-456-7890

This fake fax spam leads to malware:

From:    eFax [message@inbound.efax.com]
To:    administrator@victimdomain
Date:    17 July 2015 at 10:42
Subject:    eFax message from "unknown" - 1 page(s), Caller-ID: 1-357-457-4655



Fax Message [Caller-ID: 1-357-457-4655
You have received a 1 page fax at Fri, 17 Jul 2015 15:12:25 +0530.

* The reference number for this fax is atl_did1-1400166434-67874083637-154.

Click here to view this fax using your PDF reader.

Please visit www.eFax.com/en/efax/twa/page/help if you have any questions regarding this message or your service.

Thank you for using the eFax service!


j2 Global | eFax | eVoice | FuseMail | Campaigner | KeepItSafe | OneBox

2014 j2 Global, Inc. All rights reserved.
eFax is a registered trademark of j2 Global, Inc.

This account is subject to the terms listed in the eFax Customer Agreement.

Although the numbers and some other details change in the spam messages, in all cases the download location has been from a legitimate but hacked site at:

breedandco.com/fileshare/FAX-1400166434-707348006719-154.zip

The ZIP file has a detection rate of 6/55 and it contains a malicious exeuctable named FAX-1400166434-707348006719-154.scr which has a detection rate of 4/55. Automated analysis [1] [2] [3] shows a characterstic callback pattern that indicates Upatre (which always leads to the Dyre banking trojan):

93.185.4.90:12325/ETK7/<MACHINE_NAME>/0/51-SP3/0/GKBIMBFDBEEE
93.185.4.90:12325/ETK7/<MACHINE_NAME>/41/5/1/GKBIMBFDBEEE


This IP is allocated to C2NET in the Czech Republic. The malware also attempts to enumerate the IP address of the target by accessing checkip.dyndns.org which is a legitimate service. It is worth looking for traffic to that domain because it is a good indicator of compromise.

The malware reaches out to some other malicious IPs (mostly parts of a botnet):

93.185.4.90 (C2NET, Czech Republic)
62.204.250.26 (TTNET, Czech Republic)
76.84.81.120 (Time Warner Cable, US)
159.224.194.188 (Content Delivery Network Ltd, Ukraine)
178.222.250.35 (Telekom Srbija, Serbia)
181.189.152.131 (Navega.com, Guatemala)
194.28.190.84 (AgaNet Agata Goleniewska, Poland)
194.28.191.213 (AgaNet Agata Goleniewska, Poland)
199.255.132.202 (Computer Sales & Services Inc., US)
208.123.135.106 (Secom Inc, US)

Among other things, the malware drops a file XGwdKLWhYBDqWBb.exe [VT 10/55] and vastuvut.exe [VT 6/55].

Recommended blocklist:
93.185.4.90
62.204.250.26
76.84.81.120
159.224.194.188
178.222.250.35
181.189.152.131
194.28.190.84
194.28.191.213
199.255.132.202
208.123.135.106

MD5s:
777ea29053d4e3e4eeb5689523a5ed11
2cb619f59c10a9877b672d66ab17edf9
efa2887ab892c34a5025aa3f943f49a9
debfdeb9b14dda4ed068a73b78ce5a24

Tuesday 19 May 2015

Malware spam: "Australian Taxation Office [noreply@ato.gov.au]" / "eFax message - 2 page(s)"

Apparently the Australian Taxation Office thinks I have a fax.. or perhaps it is something more sinister?

From:    Australian Taxation Office [noreply@ato.gov.au]
Date:    19 May 2015 at 12:48
Subject:    eFax message - 2 page(s)

Fax Message [Caller-ID: 408-342-0521]
You have received a 2 pages fax at 2015-05-19 08:18:16 AM EST.

* The reference number for this fax is
min2_did16-0884196800-3877504043-49.

View this fax using your PDF reader.

Please visit www.eFax.com/en/efax/twa/page/help if you have any questions regarding this message or your service.
Thank you for using the eFax service!

Predictably, the link leads to a malicious download (this time at storage-ec2-24.sharefile.com) named Fax_00491175.zip and containing in turn a malicious executable Fax_00491175.scr.

This executable has a detection rate of 5/57. Automated analysis tools [1] [2] [3] shows that it downloads a further component from:

http://employmentrisk.com/images/1405uk77.exe

In turn, this has a detection rate of 4/57 and the Hybrid Analysis report indicates that it tries to communicate with 194.28.190.183 (AgaNet Agata Goleniewska, Poland).

Recommended blocklist:
employmentrisk.com
194.28.190.183

MD5s:
a6aa82995f4cb2bd29cdddedd3572461
b3b483c10d4f7eacd7cfa42f604968f8

Tuesday 18 November 2014

"INCOMING FAX REPORT" spam, let's party like it's 1999

Hang on, I think I need to load some more papyrus into the facsimile machine, the 1990s are back!

From:     Incoming Fax [no-reply@efax.co.uk]
Date:     18 November 2014 13:16
Subject:     INCOMING FAX REPORT : Remote ID: 766-868-5553

*********************************************************
INCOMING FAX REPORT
*********************************************************

Date/Time: Tue, 18 Nov 2014 14:16:58 +0100
Speed: 4222bps
Connection time: 01:09
Pages: 5
Resolution: Normal
Remote ID: 963-864-5728
Line number: 1
DTMF/DID:
Description: Internal report

We have uploaded fax report on dropbox, please use the following link to download your file:

http://mrconsultantpune.com/dropbox/document.php

********************************************************* 
This is (of course) utter bollocks, and the link in the email downloads a ZIP file document_8731_pdf.zip which in turn contains a malicious executable document_8731_pdf.exe which has a VirusTotal detection rate of 4/54. According to the Malwr report it makes these following HTTP requests:

http://108.61.229.224:13861/1811us1/HOME/0/51-SP3/0/
http://108.61.229.224:13861/1811us1/HOME/1/0/0/
http://159593.webhosting58.1blu.de/mandoc/narutus1.pmg

It also drops a file EXE1.EXE onto the target system which has a detection rate of 7/55. You can see the Malwr report for that here.

Recommended blocklist:
108.61.229.224
159593.webhosting58.1blu.de

Friday 17 October 2014

eFax message from "02086160204" spam

This fake eFax spam leads to malware:
From:     eFax [message@inbound.claranet.co.uk]
Date:     17 October 2014 11:36
Subject:     eFax message from "02086160204" - 1 page(s), Caller-ID: 208-616-0204

Fax Message [Caller-ID: 208-616-0204]

You have received a 1 page fax at 2014-10-17 09:34:48 GMT.

* The reference number for this fax is lon2_did11-4056638710-9363579926-02.



Please visit https://www.efax.co.uk/myaccount/message/lon2_did11-4056638710-9363579926-02 to  view  this message in full.

Thank you for using the eFax service!
 Home     Contact     Login
Powered by j2

© 2013 j2 Global, Inc. All rights reserved.
eFax® is a registered trademark of j2 Global, Inc.

This account is subject to the terms listed in the eFax® Customer Agreement.
The telephone number seems to very but is always in the 0208616xxxx format.

The link in the email goes to some random hacked WordPress site or other with a URL with a format similar to the following:

http://tadarok.com/wp-content/themes/deadline/mess.html
http://107.170.219.47/wp-content/themes/inove/mess.html
http://dollfacebeauty.com.au/wp-content/themes/landscape/mess.html

Then (if your user agent and referrer are correct) it goes to a fake eFax page at http://206.253.165.76:8080/ord/ef.html which does look pretty convincing. (Incidentally if the UA or referrer are not right you seem to get dumped on a pills site of naturaldietpills4u.com).


The download link goes to http://206.253.165.76:8080/ord/FAX_20141008_1412786088_26.zip which is a ZIP file containing a malicious executable FAX_20141008_1412786088_26.exe which has a VirusTotal detection rate of 4/54.

The Malwr report is interesting because it contains many references to bacstel-ip which is the name of an online payment system used by UK businesses. The malware also contains the string
runas /profile /env /user:mydomain\admin "mmc %windir%\system32\dsa.msc
 If you are a sysadmin then you might recognise this as being the "Active Directory Users and Computers" admin tool. So, are the bad guys probing for sysadmins?

The malware connects to the following URLs:

http://212.59.117.207/yqqwe9mN5yoZJwBcwDqo0kTckoyNuHmw3cXoyRRFa/kaT1aBHyLi9Ne5TcaVNg3ik0NkDZ4ZqwwP/J9s1iNPmFwLiTgJuwky
http://107.170.19.156/sqVT2amDRPXDRkRmkcoyki5kimRHkZyuiqNJuV4eo/RZDe9aPekT5wqB75ge8PXHeN
http://107.170.19.156/VmwBacsascVDgHgFsDu/37PDXaX6ZVTuJ7LDeyaosTiXcZiNPg1FZak/D3TqP4RD8o1HX0TVFqkRBJwc7i
http://107.170.19.156/5XuammNFaHN8HNmD95sHik/a7mHqwFDD4ayHiuk5DeZasiXNuFucy1o/PqXNkwTu69c/1kgyo7gauTouq/wsLPNw91iN5mBL5HJsiJTmge

I recommend blocking 107.170.19.156 (Digital Ocean, US), 212.59.117.207 (IO-Hosts Ltd, Russia) and 206.253.165.76 (Arachnitec, US)

Recommended blocklist:
107.170.19.156
212.59.117.207
206.253.165.76


Friday 25 July 2014

"eFax message" spam

Another tired old spam template leading to malware..

From:     eFax Corporate [message@inbound.efax.com]
Date:     25 July 2014 14:25
Subject:     eFax message - 4 pages

Fax Message [Caller-ID: 948-468-7596]

You have received a 4 pages fax at 2014-07-25 13:24:21 GMT.

* The reference number for this fax is latf1_did11-1187609582-1911573644-58.

View this fax using your PDF reader.

Click here to view this message

Please visit www.eFax.com/en/efax/twa/page/help if you have any questions regarding this message or your service.

Thank you for using the eFax service!
Home | Contact | Login |
Powered by j2

2014 j2 Global Communications, Inc. All rights reserved.
eFax is a registered trademark of j2 Global Communications, Inc.

This account is subject to the terms listed in the eFax Customer Agreement.

In this case the link in the email goes to verzaoficial.com/css/fax_390392029_072514.exe which downloads a file with a VirusTotal detection rate of just 1/45. Automated analysis [pdf] is fairly inconclusive as to what it does.

Thursday 29 May 2014

More eFax / Dropbox malware spam

This fake eFax message downloads malware from Dropbox, similar to yesterday's attack but with different binaries:

From:     Incoming Fax [no-reply@efax.co.uk]
Date:     29 May 2014 10:26
Subject:     INCOMING FAX REPORT : Remote ID: 499-364-9797

*********************************************************
INCOMING FAX REPORT
*********************************************************

Date/Time: Thu, 29 May 2014 18:26:56 +0900
Speed: 4360bps
Connection time: 07:09
Pages: 9
Resolution: Normal
Remote ID: 915-162-0353
Line number: 0
DTMF/DID:
Description: Internal report

We have uploaded fax report on dropbox, please use the following link to download your file:

https://www.dropbox.com/meta_dl/[redacted]
The malicious download is from [donotclick]www.dropbox.com/meta_dl/eyJzdWJfcGF0aCI6ICIiLCAidGVzdF9saW5rIjogZmFsc2UsICJzZXJ2ZXIiOiAiZGwuZHJvcGJveHVzZXJjb250ZW50LmNvbSIsICJpdGVtX2lkIjogbnVsbCwgImlzX2RpciI6IGZhbHNlLCAidGtleSI6ICJvempiZ256bDM2aGRlMTgifQ/AAKxr3bqwwmIfwE_cp_xalkzMz7tKRtiivmPhViZTBLBkA?dl=1 which is an archive file FAX-21651_7241.zip which in turn contains the malicious executable FAX-21651_7241.scr

This binary has a VirusTotal detection rate of 6/53 and the Malwr report shows that it downloads a file from soleilberbere.com/images/2905UKdw.tar which subsequently drops a file eucis.exe with a VirusTotal detection rate of just 3/51. Automated reports [1] [2] are pretty inconclusive as to what this does.

Wednesday 28 May 2014

eFax message from "unknown" spam downloads malware from Dropbox

This fake eFax message downloads malicious content from a Dropbox link.

From:     eFax [message@inbound.efax.com]
Date:     28 May 2014 13:12
Subject:     eFax message from "unknown" - 1 page(s), Caller-ID: 1-949-698-5643

Fax Message [Caller-ID: 1-949-698-5643
You have received a 1 page fax at Wed, 28 May 2014 09:11:44 GMT.

* The reference number for this fax is atl_did1-1400166434-95058563842-154.

Click here to view this fax using your PDF reader.

Please visit www.eFax.com/en/efax/twa/page/help if you have any questions regarding this message or your service.

Thank you for using the eFax service!

       

j2 Global | eFax | eVoice | FuseMail | Campaigner | KeepItSafe | OneBox

2014 j2 Global, Inc. All rights reserved.
eFax is a registered trademark of j2 Global, Inc.

This account is subject to the terms listed in the eFax Customer Agreement.
The telephone number will vary from spam-to-spam, but the download link seems consistent and is [donotclick]dl.dropboxusercontent.com/s/uk0mlaixvbg52g2/Fax_938_391102933_1245561.zip?dl=1&token_hash=AAEUA5cH_mfvkp4l4CePv7t100XZKo4GBq6ZxY1UiElKyQ&expiry=1401269894 which leads to a ZIP file Fax_938_391102933_1245561.zip which unzips to a malicious executable Fax_938_391102933_1245561.scr.

This binary has a VirusTotal detection rate of 6/53. Automated reporting tools [1] [2] show a download from landscaping-myrtle-beach.com/wp-content/uploads/2014/05/2805UKdw.dkt which in turn drops the following files:
This last one makes a connection to innogate.co.kr for unknown reasons.

Recommended blocklist:
landscaping-myrtle-beach.com
innogate.co.kr





Tuesday 3 December 2013

Another day, another fake eFax spam

These fake eFax spams are getting a bit dull. As you might expect, this one comes with a malicious attachment.

Date:      Tue, 3 Dec 2013 15:15:03 -0800 [18:15:03 EST]
From:      eFax Corporate [message@inbound.efax.com]
Subject:      Fax transmission: -5219616961-5460126761-20130705352854-84905.zip

Please find attached to this email a facsimile transmission we have just received on your behalf

(Do not reply to this email as any reply will not be read by a real person) 
Attached is a ZIP file which in this case is called -2322693863-6422657608-20130705409306-09249.zip (with a VirusTotal detection rate of 6/48) which in turn contains a malicious executable fax-report.exe which has an icon that makes it look like a PDF file and has a VirusTotal detection rate of 4/48.

Automated analysis tools [1] [2] [3] show an attempted communication with tuhostingprofesional.net on 188.121.51.69 (GoDaddy, Netherlands) which contains about 8 legitimate domains which may or may not have been compromised.

Wednesday 30 October 2013

"Corporate eFax message" spam / bulkbacklinks[.]com and Xeex.com

Oh my, do people really fall for this "Corporate eFax message" spam? Apparently people do because the spammers keep sending it out.

Date:      Wed, 30 Oct 2013 23:33:23 +0900 [10:33:23 EDT]
From:      eFax Corporate [message@inbound.efax.com]
Subject:      Corporate eFax message from "673-776-6455" - 2 pages

Fax Message [Caller-ID: 673-776-6455] You have received a 2 pages fax at 2013-30-10
02:22:22 CST.* The reference number for this fax is
latf1_did11-1995781774-8924188505-39.View this fax using your PDF reader.Please visit
www.eFax.com/en/efax/twa/page/help if you have any questions regarding this message or
your service.Thank you for using the eFax service!Home | Contact | Login | 2013 j2 Global
Communications, Inc. All rights reserved.eFax is a registered trademark of j2 Global
Communications, Inc.This account is subject to the terms listed in the eFax Customer
Agreement.

-----------------------

Date:      Wed, 30 Oct 2013 10:04:50 -0500 [11:04:50 EDT]
From:      eFax Corporate [message@inbound.efax.com]
Subject:      Corporate eFax message from "877-579-4466" - 5 pages

Fax Message [Caller-ID: 877-579-4466] You have received a 5 pages fax at 2013-30-10
05:55:55 EST.* The reference number for this fax is
latf1_did11-1224528296-8910171724-72.View this fax using your PDF reader.Please visit
www.eFax.com/en/efax/twa/page/help if you have any questions regarding this message or
your service.Thank you for using the eFax service!Home | Contact | Login | 2013 j2 Global
Communications, Inc. All rights reserved.eFax is a registered trademark of j2 Global
Communications, Inc.This account is subject to the terms listed in the eFax Customer
Agreement. 
Attached to the message is a file FAX_10302013_1013.zip which in turn contains FAX_10302013_1013.exe (although the date is encoded into the filename so your version may be different) which has an icon that makes it look like a PDF file.

This has a very low detection rate at VirusTotal of just 1/46. Automated analysis tools [1] [2] [3] show an attempted connection to a domain bulkbacklinks.com on 69.26.171.187. This is part of the same compromised Xeex address range as seen here and here.

Xeex have not responded to notifications of a problem (apart from an AutoNACK). I recommend that you treat the entire 69.26.171.176/28 range as being malicious and you should block according to this list.

Monday 16 September 2013

eFax spam / rockims.com

This fake eFax spam leads to malware on rockims.com:

Date:      Mon, 16 Sep 2013 22:43:06 +0400 [14:43:06 EDT]
From:      eFax Corporate [message@inbound.efax.com]
Subject:      Corporate eFax message - 1 pages

Warning: This message may not be from whom it claims to be. Beware of following any links in it or of providing the sender with any personal information.


Fax Message [Caller-ID: 854-349-9584]

You have received a 1 pages fax at 2013-16-09 01:11:11 CST.

* The reference number for this fax is latf1_did11-1237910785-2497583013-24.

View this fax using your PDF reader.

Click here to view this message

Please visit www.eFax.com/en/efax/twa/page/help if you have any questions regarding this message or your service.

Thank you for using the eFax service!
Home | Contact | Login |
Powered by j2

2013 j2 Global Communications, Inc. All rights reserved.
eFax is a registered trademark of j2 Global Communications, Inc.

This account is subject to the terms listed in the eFax Customer Agreement.

The link in the email goes through a legitimate hacked site and then runs one of the following three scripts:
[donotclick]die-web-familie.homepage.t-online.de/quasar/monte.js
[donotclick]dim-kalogeras-ka-lar.schools.ac.cy/initials/casanovas.js
[donotclick]ade-data.com/exuded/midyear.js

These then lead to a malware payload at [donotclick]rockims.com/topic/seconds-exist-foot.php which is a hijacked GoDaddy domain hosted on 192.81.133.143 (Linode, US) along with quite a few other hijacked domains (listed in italics below).

Recommended blocklist:
192.81.133.143
dim-kalogeras-ka-lar.schools.ac.cy
die-web-familie.homepage.t-online.de
ade-data.com
actorbell.com
facebookfansincrease.com
fillmaka.com
fillmmaka.com
filmaka.biz
filmaka.co.uk
filmaka.info
filmaka.org
filmaka.us
filmmaka.com
filmpunjab.com
fimaka.com
journeyacrossthesky.com
journeyacrossthesky.org
luckyemily.com
manpreetsidhu.com
ogaps.com
oshaughnessyfam.com
reliable661.com
rockcet.com
rockims.com

Thursday 8 August 2013

eFax / jConnect spam and eliehabib.com

This fake fax spam leads to malware on eliehabib.com:

Date:      Wed, 7 Aug 2013 13:05:22 -0600 [15:05:22 EDT]
From:      Fax Message [message@inbound.efax.com]
Subject:      Fax Message at 2013-08-07 01:54:34 EST

Blue Bar
Fax Message

You have received 4 fax page(s) at 2013-08-07 01:54:34 EST.

* The reference number for this fax is wlmt_bgp85-3506454489-3878764215-49.
* The transmission start time for this fax is .

Click here to view this message in your web browser
Please visit http://www.j2.com/help if you have any questions regarding this message or your j2 service.

Thank you for using jConnect!
Home|Contact|Login
Powered by j2

2013 j2 Global Communications, Inc. All rights reserved.
jConnect is a registered trademark of j2 Global Communications, Inc.

This account is subject to the terms listed in the jConnect Customer Agreement.
The link in the email goes through a legitimate hacked site and then on to three scripts as follows:
[donotclick]v3dev.eu/conciseness/bragging.js
[donotclick]masperblog.it/manacle/barnaul.js
[donotclick]shop.zhengtugps.com/submissions/snipped.js

From then on the victim is sent to a payload site at [donotclick]eliehabib.com/topic/seconds-exist-foot.php which is a hacked domain registered by GoDaddy, hosted on 173.246.105.15 (Gandi, US). There are probably other malicious domains that I cannot see on the same server.

Recommended blocklist:
173.246.105.15
v3dev.eu
masperblog.it
shop.zhengtugps.com
eliehabib.com


Wednesday 3 April 2013

eFax spam / ivanikako.ru

This fake eFax spam leads to malware on ivanikako.ru:

From: Global Express UPS [mailto:admin@ups.com]
Sent: 02 April 2013 21:12
Subject: Efax Corporate

Fax Message [Caller-ID: 189609656]

You have received a 40 pages fax at Wed, 3 Apr 2013 02:11:58 +0600, (708)-009-8464.

* The reference number for this fax is [eFAX-698329221].

View attached fax using your Internet Browser.

________________________________________
© 2013 j2 Global Communications, Inc. All rights reserved.
eFax Ž is a registered trademark of j2 Global Communications, Inc.

This account is subject to the terms listed in the eFax Ž Customer Agreement. 
The malicious payload is at [donotclick]ivanikako.ru:8080/forum/links/column.php (report here) hosted on:
93.187.200.250 (Netdirekt, Turkey)
94.103.45.34 (ANKARAHOSTING, Turkey)
208.94.108.238 (Fibrenoire, Canada)

Blocklist:
93.187.200.250
94.103.45.34
208.94.108.238
izamalok.ru
imbrigilia.ru
humaniopa.ru
hiskinta.ru
illuminataf.ru
ilianorkin.ru
hillaryklinton.ru
izjianokr.ru
ivanikako.ru

Tuesday 26 March 2013

eFax Corporate spam / hjuiopsdbgp.ru

This fake eFax spam leads to malware on hjuiopsdbgp.ru:

Date:      Tue, 26 Mar 2013 06:23:36 +0800
From:      LinkedIn [welcome@linkedin.com]
Subject:      Efax Corporate
Attachments:     Efax_Pages.htm



Fax Message [Caller-ID: 378677295]

You have received a 59 pages fax at Tue, 26 Mar 2013 06:23:36 +0800, (954)-363-5285.

* The reference number for this fax is [eFAX-677484317].

View attached fax using your Internet Browser.


© 2013 j2 Global Communications, Inc. All rights reserved.
eFax ® is a registered trademark of j2 Global Communications, Inc.

This account is subject to the terms listed in the eFax ® Customer Agreement.
The attachment Efax_Pages.htm leads to a malicious payload at [donotclick]hjuiopsdbgp.ru:8080/forum/links/column.php (report here) hosted on the following IPs:
66.249.23.64 (Endurance International Group, US)
69.46.253.241 (RapidDSL & Wireless, US)
95.211.154.196 (Leaseweb, Netherlands)

Blocklist:
66.249.23.64
69.46.253.241
95.211.154.196
hohohomaza.ru
humarikanec.ru
hillaryklinton.ru
hinakinioo.ru
hillairusbomges.ru
hjuiopsdbgp.ru
heepsteronst.ru


Monday 4 March 2013

eFax spam / forumla.ru

This fake eFax spam leads to malware on forumla.ru:
Date:      Mon, 4 Mar 2013 08:53:20 +0300
From:      LinkedIn [welcome@linkedin.com]
Subject:      Efax Corporate
Attachments:     Efax_Corporate.htm



Fax Message [Caller-ID: 646370000]

You have received a 57 pages fax at Mon, 4 Mar 2013 08:53:20 +0300, (213)-406-0113.

* The reference number for this fax is [eFAX-336705661].

View attached fax using your Internet Browser.


© 2013 j2 Global Communications, Inc. All rights reserved.
eFax ® is a registered trademark of j2 Global Communications, Inc.

This account is subject to the terms listed in the eFax ® Customer Agreement.
The malicious payload is at [donotclick]forumla.ru:8080/forum/links/column.php (report here) hosted on 210.71.250.131 (Chungwa Telecom, Taiwan). These other sites are also visible on the same IP:
foruminanki.ru
ny-news-forum.ru
forumilllionois.ru
forum-ny.ru
forumny.ru
forumla.ru

Thursday 21 February 2013

"Efax Corporate" spam / fuigadosi.ru

This fake eFax spam leads to malware on fuigadosi.ru:

Date:      Thu, 21 Feb 2013 -05:24:35 -0800
From:      LinkedIn Password [password@linkedin.com]
Subject:      Efax Corporate
Attachments:     EFAX_Corporate.htm



Fax Message [Caller-ID: 705646877]

You have received a 29 pages fax at Thu, 21 Feb 2013 -05:24:35 -0800, (913)-809-4198.

* The reference number for this fax is [eFAX-806896385].

View attached fax using your Internet Browser.


© 2013 j2 Global Communications, Inc. All rights reserved.
eFax ® is a registered trademark of j2 Global Communications, Inc.

This account is subject to the terms listed in the eFax ® Customer Agreement.

The malicious payload is at [donotclick]fuigadosi.ru:8080/forum/links/column.php (report here) hosted on:

84.23.66.74 (EUserv Internet, Germany)
122.160.168.219 (Trackon Couriers, India)
210.71.250.131 (Chungwa Telecom, China)

The following domains and IPs are malicious and should be blocked:
84.23.66.74
122.160.168.219
210.71.250.131
eiiiioovvv.ru
ejjiipprr.ru
emmmhhh.ru
errriiiijjjj.ru
famagatra.ru
faneroomk.ru
finalions.ru
fuigadosi.ru
fulinaohps.ru
fzukungda.ru

Thursday 11 October 2012

eFax spam / 173.255.223.77 and chase.swf

Two different eFax spam runs seem to be going on at the same time:
From: eFax Corporate [mailto:05EBD8C@poshportraits.com]
Sent: 11 October 2012 12:58
Subject: eFax notification



You have received a 50 page(-s) fax at Thu, 11 Oct 2012 07:58:06 -0400.
* The reference number for this fax is [2EA33CF].
Click the following link to view this message:
https://www.efaxcorporate.com/corp/twa/View?returnPageKey=2EA33CF
Please visit www.efaxcorporate.com/corp/twa/page/customerSupport if you have any questions regarding this message or your service. You may also e-mail our corporate support department at corporatesupport@mail.efax.com.
Thank you for using the eFax Corporate service!


© 2012 j2 Global, Inc. All rights reserved.
eFax Corporate is a registered trademark of j2 Global, Inc.
This account is subject to the terms listed in the eFax Corporate Customer Agreement.

==========



From: eFax.Corporate [mailto:2C4C2348@aieservices.com.au]
Sent: 11 October 2012 12:51
Subject: eFax: You have received new fax



You have received a 34 page(-s) fax at Thu, 11 Oct 2012 13:50:54 +0200.
* The reference number for this fax is [97ECE658].
Click the following link to view this message:
https://www.efaxcorporate.com/corp/twa/View?returnPageKey=97ECE658
Please visit www.efaxcorporate.com/corp/twa/page/customerSupport if you have any questions regarding this message or your service. You may also e-mail our corporate support department at corporatesupport@mail.efax.com.
Thank you for using the eFax Corporate service!


© 2012 j2 Global, Inc. All rights reserved.
eFax Corporate is a registered trademark of j2 Global, Inc.
This account is subject to the terms listed in the eFax Corporate Customer Agreement.


One leads to a malicious landing page at [donotclick]173.255.223.77/links/assure_numb_engineers.php hosted by Linode in the US.

The other one is a bit odder, referring to a file called chase.swf on a hacked site. VT analysis shows just 1/44 which is not good. That looks a bit like this:

{html}
{body}
{object width='255' height='57'}
 {param name='movie' value='infected.swf'} {/param}
 {param name='allowScriptAccess' value='sameDomain'} {/param}
 {embed width='255' height='57'
  src='hxxp:||[redacted].com/chase.swf' name='BridgeMovie'
  allowScriptAccess='sameDomain' type='application/x-shockwave-flash' }
 {/embed}
{/object}
{/body}
{/html}


Beats me what it is. Probably nothing good though...

Thursday 4 October 2012

"Corporate eFax message" spam / 184.164.136.147

These fake fax messages lead to malware on 184.164.136.147:

Date:      Thu, 04 Oct 2012 19:00:16 +0200
From:      "eFax.Alert" [E988D6C@vida.org.pt]
Subject:      Corporate eFax message - 09 pages




Fax Message [Caller-ID: 341-498-5688]
You have received a 09 pages fax at Thu, 04 Oct 2012 19:00:16 +0200.

* The reference number for this fax is min1_20121004190016.8673161.

View this fax using your PDF reader.

Click here to view this message

Please visit www.eFax.com/en/efax/twa/page/help if you have any questions regarding this message or your service.
Thank you for using the eFax service!
Home | Contact | Login
� 2011 j2 Global Communications, Inc. All rights reserved.
eFax� is a registered trademark of j2 Global Communications, Inc.
This account is subject to the terms listed in the eFax� Customer Agreement.

The malicious payload is at [donotclick]184.164.136.147/links/assure_numb_engineers.php  which is an IP address belonging to Secured Servers LLC in the US and suballocated to:

autharea=184.164.128.0/19
xautharea=184.164.128.0/19
network:Class-Name:network
network:Auth-Area:184.164.128.0/19
network:ID:NET-11719.184.164.136.128/27
network:Network-Name:Public
network:IP-Network:184.164.136.128/27
network:IP-Network-Block:184.164.136.128 - 184.164.136.159
network:Org-Name:Jolly Works Hosting
network:Street-Address:Unit 3C No. 831 SAM Building, Dagupan Road
network:City:Manilla
network:State:NCR
network:Postal-Code:1013
network:Country-Code:PH
network:Tech-Contact:MAINT-11719.184.164.136.128/27
network:Created:20110811175617000
network:Updated:20110811175617000
network:Updated-By:dnsadmin@securedservers.com
contact:POC-Name:Nevin Poly
contact:POC-Email:supportsages@gmail.com
contact:POC-Phone:
contact:Tech-Name:DNS Administrator
contact:Tech-Email:dnsadmin@securedservers.com
contact:Tech-Phone:(480) 422-2023
contact:Abuse-Name:Abuse
contact:Abuse-Email:abuse@securedservers.com
contact:Abuse-Phone:+1-480-422-2022 (Office)


It might be worth blocking 184.164.136.128/27 to be on the safe side.

Wednesday 3 October 2012

"Corporate eFax message" spam / 69.194.194.222

This fake fax spam leads to malware on 69.194.194.222:


Date:      Wed, 03 Oct 2012 15:00:43 +0200
From:      "eFax" [4FBED27@fashioninsomniacs.com]
Subject:      Corporate eFax message - 8 pages




Fax Message [Caller-ID: 368-848-8852]
You have received a 8 pages fax at Wed, 03 Oct 2012 15:00:43 +0200.

* The reference number for this fax is min1_20121003150043.438820.

View this fax using your PDF reader.

Click here to view this message

Please visit www.eFax.com/en/efax/twa/page/help if you have any questions regarding this message or your service.
Thank you for using the eFax service!
Home | Contact | Login
� 2011 j2 Global Communications, Inc. All rights reserved.
eFax� is a registered trademark of j2 Global Communications, Inc.
This account is subject to the terms listed in the eFax� Customer Agreement.

==========


Date:      Wed, 03 Oct 2012 17:12:57 +0530
From:      "eFax.Corporate" [2FEDD7BC@kelprint.fr]
Subject:      Corporate eFax message - 1 pages




Fax Message [Caller-ID: 033-717-5099]
You have received a 1 pages fax at Wed, 03 Oct 2012 17:12:57 +0530.

* The reference number for this fax is min1_20121003171257.5227.

View this fax using your PDF reader.

Click here to view this message

Please visit www.eFax.com/en/efax/twa/page/help if you have any questions regarding this message or your service.
Thank you for using the eFax service!
Home | Contact | Login
� 2011 j2 Global Communications, Inc. All rights reserved.
eFax� is a registered trademark of j2 Global Communications, Inc.
This account is subject to the terms listed in the eFax� Customer Agreement.

==========


Date:      Wed, 03 Oct 2012 07:25:36 -0400
From:      "eFax" [965F7212@dyer.com.hk]
Subject:      Corporate eFax message - 7 pages




Fax Message [Caller-ID: 300-811-6555]
You have received a 7 pages fax at Wed, 03 Oct 2012 07:25:36 -0400.

* The reference number for this fax is min1_20121003072536.6902337.

View this fax using your PDF reader.

Click here to view this message

Please visit www.eFax.com/en/efax/twa/page/help if you have any questions regarding this message or your service.
Thank you for using the eFax service!
Home | Contact | Login
� 2011 j2 Global Communications, Inc. All rights reserved.
eFax� is a registered trademark of j2 Global Communications, Inc.
This account is subject to the terms listed in the eFax� Customer Agreement.


The malicious payload is at [donotclick]69.194.194.222/links/assure_numb_engineers.php (Solar VPS, US). Blocking this IP address may be wise as they tend to be used in more than one campaign.