From: victim@victimdomain.comThe link in the message downloads a file faxmessage_7241_pdf61.zip which in turn contains a malicious executable faxmessage_7241_pdf.exe which has a VirusTotal detection rate of 4/53. The Malwr report shows that it connects to the following URLs:
Sent: 24 November 2014 15:31
To: norep.c@mefax.com
Subject: MyFax message from "unknown" - 3 page(s)
Fax Message [Caller-ID: 1-407-067-7356]
http://159593.webhosting58.1blu.de/messages/get_message.php
You have received a 3 page fax at Mon, 24 Nov 2014 15:31:23 +0000.
* The reference number for this fax is chd_did11-14186364797-10847113200-628.
View this fax using your PDF reader.
Thank you for using the MyFax service!
http://95.211.199.37:16792/2411us3/HOME/0/51-SP3/0/
http://95.211.199.37:16792/2411us3/HOME/1/0/0/
http://lasuruguayas.com/images/refus3.pnk
A file EXE1.EXE is also dropped, with a VirusTotal detection rate of just 1/54. The Malwr report is here.
19 comments:
Question: I've gotten like 10 of these in the last hour. I'm really glad that you've documented it, but is there anything else you'd recommend I check, or just let it run its course?
yes, I wonder how many people come here looking how to get rid of it. I must have had 20 in the last half hour
We're being bombarded with these at the moment. We've had to add a mail server rule to quarantine
i just clicked on the link - took me to a page under 'conscruction' - nice spelling. have i now inadvertently infected my computer?
Me, too.
Hundreds of these in the last hour.
We have added a mail server rule as well.
@Justin you individually, or sent to users you support?
If just you, and you don't use MyFax, just block the subject line in your email client (e.g. an outlook inbox rule).
From an email admin perspective, you could run a quick search for emails with a subject of "MyFax message from" and see what kind of legitimate myfax traffic your organization has been receiving. If the answer is 'none', you may be able to safely put in a temporary rule at your filtering layer to stop these (as @test indicated s/he has done).
May I ask what mail server rule you used? I have made one myself based on recipients but I would like to know if there is a better one, such as subject or the like.
Getting a lot of these this morning also. Have put a couple of rules in our spam filter but they seem to keep slipping by. Going to try a few more rules.
@Jan
Already added an outlook rule, but thanks for the advice! We don't actually use any digital fax software, and I believe I'm the only one getting the emails. I'll look into handling the server rule from that. Thanks again!
We've just added a basic mail rule on the server to redirect anything with 'Thank you for using the MyFax service!' in the body to the quarantine for review. We're getting about 100 per minute hitting us at the moment.
Symantec quarantines this (nzsjq.exe) under SONAR.MalTRaffic!gen2
We've just turned on the option to block messages identified as 'bulk' spam using our SecurityGateway server.
We've also turned on IP shielding which is killing most of it where the 'from' header's being spoofed...
Info here from an old blog article -
http://www.zensoftware.co.uk/kb/Knowledgebase/Protecting-your-server-from-spoofing-using-MDaemons-IP-Shielding-feature?Keywords=protecting+your+server
A lot of Exchange Online customers getting these, as well:
http://community.office365.com/en-us/f/148/t/279768.aspx?pi14176=1#855041
I added a rule to delete anything with "NoRep.c@MyFax.com" in the Return-Path header.
Same here ughhh Rule added to 365 exchange
User education can also help. Fake Fax messages are an extremely common way of enticing people to click, but I bet most people don't ever get "fax by email" notifications.
I have this problem with my domains and email service run by one.com. They are being incredibly unherlpful and are telling me they can literally do nothing, no IP blocks, no mail filtering, nothing. Im sure this is completely untrue, unless the emails are just being spoofed from myfax.com and not going out through my mail servers at all. Can anyone shed any light on this?
I set a block rule for 'Thank you for using the MyFax service! in the body of the message and they seemed to have stopped. A custom rule in my Anti-Spam software.
Does anyone experiencing spam from these have a virtual fax provider? I'm finding a pattern of the recipients being hit by this being the main contact listed on our virtual fax services. (We own 3 virtual fax lines and all 3 users being hit with this spam are on those lines)
Post a Comment