Sponsored by..

Friday 25 July 2014

"eFax message" spam

Another tired old spam template leading to malware..

From:     eFax Corporate [message@inbound.efax.com]
Date:     25 July 2014 14:25
Subject:     eFax message - 4 pages

Fax Message [Caller-ID: 948-468-7596]

You have received a 4 pages fax at 2014-07-25 13:24:21 GMT.

* The reference number for this fax is latf1_did11-1187609582-1911573644-58.

View this fax using your PDF reader.

Click here to view this message

Please visit www.eFax.com/en/efax/twa/page/help if you have any questions regarding this message or your service.

Thank you for using the eFax service!
Home | Contact | Login |
Powered by j2

2014 j2 Global Communications, Inc. All rights reserved.
eFax is a registered trademark of j2 Global Communications, Inc.

This account is subject to the terms listed in the eFax Customer Agreement.

In this case the link in the email goes to verzaoficial.com/css/fax_390392029_072514.exe which downloads a file with a VirusTotal detection rate of just 1/45. Automated analysis [pdf] is fairly inconclusive as to what it does.


Unknown said...

so what can we do to filter/block them without blocking our actual efax emails?

Nunya Business said...

You should be able to block .scr files and block it. It shows the icon of a PDF file but it's actually a .scr file (an executable screensaver)

If the domain is the same as the one we got, if you have a web filter you could block http://sendgrid.org (the legit site is sendgrid.com)

Nunya Business said...
This comment has been removed by the author.
Unknown said...

A real fax notification from eFax would include a Fax attachment as a PDF, TIFF or EFX. The email wouldn't contain a (fake) link to read the fax.