Beware of efax that may come to your email inbox. This week I receive my first efax spam with a source address of "Fax Message [message@inbound.efax.com]" which contained a link to www.dropbox.com that contained malware. The link has since been removed.
On efax's website, the indicate that you are receiving fax spam to submit the fax via to online form and they "will attempt to prevent further transmission of junk faxes from the source.[2] [1] http://www.efax.com/help/faq ----------- Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu |
Guy 522 Posts ISC Handler Jun 8th 2014 |
Thread locked Subscribe |
Jun 8th 2014 7 years ago |
Would you mind sharing the hash of malware involved? One of these hit my mail server from a Tampa, FL, Verizon FIOS on 28 May, but by the time I had a chance to review the spoofed email, the email's DropBox link had been taken down/disabled.
Thanks |
Anonymous |
Quote |
Jun 8th 2014 7 years ago |
Edited, dupe post
|
Anonymous |
Quote |
Jun 8th 2014 7 years ago |
Been seeing a few dropbox linked malware, Bank ones too...
http://blog.dynamoo.com/2014/05/fake-natwest-email-downloads-malware.html ClamAV Sanesecurity signatures are blocking them... http://sanesecurity.com/ |
Sanesecurity 21 Posts |
Quote |
Jun 9th 2014 7 years ago |
I no longer have the hash for this file and the link is now dead. The link was:
https:// www[dot]dropbox[dot]com/meta_dl/eyJzdWJfcGF0aCI6ICIiLCAidGVzdF9saW5rIjogZmFsc2UsICJzZXJ2ZXIiOiAiZGwuZHJvcGJveHVzZXJjb250ZW50LmNvbSIsICJpdGVtX2lkIjogbnVsbCwgImlzX2RpciI6IGZhbHNlLCAidGtleSI6ICJpcWVxeDdocmpobnJpeHoifQ/AANvZsHohmMz8XZLiCizpVrbOVy_Unf1bJ2NSGSwCy9E5w?dl=1 |
Guy 522 Posts ISC Handler |
Quote |
Jun 9th 2014 7 years ago |
What's the point of submitting a spam report to eFax.com? The email didn't originate from their systems.
|
Andrew 1 Posts |
Quote |
Jun 9th 2014 7 years ago |
Several users of my company received the exact same email (verified the link was 100% equal), and fell for it.
It ended up being cryptolocker. We are now implementing the protections in a reactive way. |
Andrew 4 Posts |
Quote |
Jun 9th 2014 7 years ago |
The malware being dropped in these samples was CryptoWall. I did a deep-dive into their infrastructure here:
http://phishme.com/inside-look-dropbox-phishing-cryptowall-bitcoins/ Let me know if you need the malware sample. Regards, --Ronnie @iHeartMalware |
Andrew 2 Posts |
Quote |
Jun 9th 2014 7 years ago |
One thing to keep in mind is these messages are not coming from eFax servers; there is very little eFax can do to stop these messages.
BTW one of my users here at the office got hit by one of these... at least one of the playloads was CryptoLocker. |
Andrew 3 Posts |
Quote |
Jun 9th 2014 7 years ago |
Nice, thanks, Ronnie. Your interesting analysis was so thorough that it sufficiently quenched my thirst for the sample. Still, posting a hash would be appreciated.
|
Anonymous |
Quote |
Jun 10th 2014 7 years ago |
Interesting. A handful of my users received this today claiming to be a voicemail. Testing shows the link is not valid.
---------------- From: Voice Mail [mailto:voicemail_sender@voicemail.com] Sent: Tuesday, June 10, 2014 8:29 AM To: [REDACTED] Subject: [BULK] voice message from 765-398-7466 for mailbox 215 Importance: Low You have received a voice mail message from 765-398-7466 Message length is 00:00:33. Message size is 290 KB. Download your voicemail message from dropbox service (Dropbox Inc.): https://www.dropbox.com/meta_dl/eyJzdWJfcGF0aCI6ICIiLCAidGV..... ---------------- |
Anon 1 Posts |
Quote |
Jun 10th 2014 7 years ago |
eFax could implement DMARC and eliminate spoofed mails.
|
HackerHater 7 Posts |
Quote |
Jun 13th 2014 7 years ago |
Sign Up for Free or Log In to start participating in the conversation!