Sponsored by..

Monday, 16 September 2013

eFax spam / rockims.com

This fake eFax spam leads to malware on rockims.com:

Date:      Mon, 16 Sep 2013 22:43:06 +0400 [14:43:06 EDT]
From:      eFax Corporate [message@inbound.efax.com]
Subject:      Corporate eFax message - 1 pages

Warning: This message may not be from whom it claims to be. Beware of following any links in it or of providing the sender with any personal information.


Fax Message [Caller-ID: 854-349-9584]

You have received a 1 pages fax at 2013-16-09 01:11:11 CST.

* The reference number for this fax is latf1_did11-1237910785-2497583013-24.

View this fax using your PDF reader.

Click here to view this message

Please visit www.eFax.com/en/efax/twa/page/help if you have any questions regarding this message or your service.

Thank you for using the eFax service!
Home | Contact | Login |
Powered by j2

2013 j2 Global Communications, Inc. All rights reserved.
eFax is a registered trademark of j2 Global Communications, Inc.

This account is subject to the terms listed in the eFax Customer Agreement.

The link in the email goes through a legitimate hacked site and then runs one of the following three scripts:
[donotclick]die-web-familie.homepage.t-online.de/quasar/monte.js
[donotclick]dim-kalogeras-ka-lar.schools.ac.cy/initials/casanovas.js
[donotclick]ade-data.com/exuded/midyear.js

These then lead to a malware payload at [donotclick]rockims.com/topic/seconds-exist-foot.php which is a hijacked GoDaddy domain hosted on 192.81.133.143 (Linode, US) along with quite a few other hijacked domains (listed in italics below).

Recommended blocklist:
192.81.133.143
dim-kalogeras-ka-lar.schools.ac.cy
die-web-familie.homepage.t-online.de
ade-data.com
actorbell.com
facebookfansincrease.com
fillmaka.com
fillmmaka.com
filmaka.biz
filmaka.co.uk
filmaka.info
filmaka.org
filmaka.us
filmmaka.com
filmpunjab.com
fimaka.com
journeyacrossthesky.com
journeyacrossthesky.org
luckyemily.com
manpreetsidhu.com
ogaps.com
oshaughnessyfam.com
reliable661.com
rockcet.com
rockims.com

1 comment:

Gaurav said...

Please remove this post, as our godaddy account was hacked that time, now everything is fine, please remove this post as your post is effecting our business.