From: eFax Corporate [mailto:05EBD8C@poshportraits.com]
Sent: 11 October 2012 12:58
Subject: eFax notification
You have received a 50 page(-s) fax at Thu, 11 Oct 2012 07:58:06 -0400.
* The reference number for this fax is [2EA33CF].
Click the following link to view this message:
https://www.efaxcorporate.com/corp/twa/View?returnPageKey=2EA33CF
Please visit www.efaxcorporate.com/corp/twa/page/customerSupport if you have any questions regarding this message or your service. You may also e-mail our corporate support department at corporatesupport@mail.efax.com.
Thank you for using the eFax Corporate service!
© 2012 j2 Global, Inc. All rights reserved.
eFax Corporate is a registered trademark of j2 Global, Inc.
This account is subject to the terms listed in the eFax Corporate Customer Agreement.
==========
From: eFax.Corporate [mailto:2C4C2348@aieservices.com.au]
Sent: 11 October 2012 12:51
Subject: eFax: You have received new fax
You have received a 34 page(-s) fax at Thu, 11 Oct 2012 13:50:54 +0200.
* The reference number for this fax is [97ECE658].
Click the following link to view this message:
https://www.efaxcorporate.com/corp/twa/View?returnPageKey=97ECE658
Please visit www.efaxcorporate.com/corp/twa/page/customerSupport if you have any questions regarding this message or your service. You may also e-mail our corporate support department at corporatesupport@mail.efax.com.
Thank you for using the eFax Corporate service!
© 2012 j2 Global, Inc. All rights reserved.
eFax Corporate is a registered trademark of j2 Global, Inc.
This account is subject to the terms listed in the eFax Corporate Customer Agreement.
One leads to a malicious landing page at [donotclick]173.255.223.77/links/assure_numb_engineers.php hosted by Linode in the US.
The other one is a bit odder, referring to a file called chase.swf on a hacked site. VT analysis shows just 1/44 which is not good. That looks a bit like this:
{html}
{body}
{object width='255' height='57'}
{param name='movie' value='infected.swf'} {/param}
{param name='allowScriptAccess' value='sameDomain'} {/param}
{embed width='255' height='57'
src='hxxp:||[redacted].com/chase.swf' name='BridgeMovie'
allowScriptAccess='sameDomain' type='application/x-shockwave-flash' }
{/embed}
{/object}
{/body}
{/html}
Beats me what it is. Probably nothing good though...