Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Suspicious eFax Spear Phishing Messages - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Suspicious eFax Spear Phishing Messages

Chad sent us a report today that they have been receiving strange eFax messages. Users who are using eFax are receiving "spear phishing" emails.

The emails are using the default eFax account (From: eFax <message@inbound.efax.com>) and avoiding most corporate SPAM filters. The link contained in this fax is suspicious which redirect to 3 different sites with the same Javascript.

We are looking for additional information that could help us understand if this new "spear phishing" method is widespread. If you have been receiving similar messages or have any tips on how you managed to filter this type of activity, please use our contact form, or share in the comments below.

[1] http://wepawet.iseclab.org/view.php?hash=dc41d8a1e845994cb01e3223ab51cbf1&t=1345162214&type=js
[2] http://wepawet.iseclab.org/view.php?hash=5c8c6f3205e7aa28bfd32d59f320e069&t=1345162348&type=js
[3] http://wepawet.iseclab.org/view.php?hash=f990f01593e5b603ee319c92f8cf3e94&t=1345162442&type=js

-----------

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu

Guy

427 Posts
ISC Handler
Wepawet » Report for kaskada.tym.cz:
http://wepawet.iseclab.org/domain.php?hash=e18becb2e0d81d7dfedf5510aaad4268&type=js

Got two here, there's the wepawet for one.
Susan

34 Posts
My client's IT dept. sent out an email yesterday morning (Wed 2012-08-15 11:10 EDT) warning about these phishing emails.
Moriah

133 Posts
Saw one of these yesterday.. so added a sig to block them:

Sanesecurity.Malware.20030.WebHeur.1608

Cheers,

Steve
sanesecurity.com
Sanesecurity

21 Posts
- Recieved 2 of these. One on
Wednesday, August 15, 2012 3:43:45 PM CET
and one on:
Thursday, August 16, 2012 6:56:28 PM CET
- They where only directed at our IT managers email address
- They where blocked by the Spambotcensor rule in our Mailmarshal emailgateway
- first one pointed to
privilege-store . com
http://wepawet.cs.ucsb.edu/view.php?hash=8bc7f13513323231096c41bac22a3c49&t=1345039504&type=js
second one to
kaskada . tym . cz
https://wepawet.cs.ucsb.edu/view.php?type=js&hash=3496c292a5f944f1bfcdf2ad58ac5cb3&t=1345192961
Anonymous
Here is what you get if you follow in to the rabbit hole of kaskada . tym . cz:
https://www.virustotal.com/file/1e29dc7ab037556a8641d58b44a31d69a6b0c8754747fa123ffe88afafede2c0/analysis/1345194513/
https://www.virustotal.com/file/c297a57886168d19d773fa8421ceca88f00374333b4576a0e8d34b14652c5e46/analysis/1345194610/
https://www.virustotal.com/file/2a4e422acc37c16837cc9a5403124b9b328c19ab110068ac1f2ad9a96f929acb/analysis/
https://www.virustotal.com/file/2fb4a11072665f7f3bfc8da3488eb58c29f24ea7507ee0d379b8fba69038e474/analysis/
https://www.virustotal.com/file/11ec1fbbc53f01332fcdbb830db22a230ce06a5992810865581190d8ff54826c/analysis/1345194972/
https://www.virustotal.com/file/a981894f61980891382e743cd248ffece4465719cba69e6b87f31c02b364e03b/analysis/1345195157/
https://www.virustotal.com/file/55d579dc03197ab6f4374976bfac78ed79d3804cb3414dab26283d85a17d8dbd/analysis/
https://www.virustotal.com/file/75957738b99f4d226698d50849ceef0637a071a3be169afe98ac8fb240b2e8d1/analysis/
Anonymous
We also received a heavy amount of these yesterday and today. Luckily I was able to filter them by identifying an email address in the recipient list that has not existed on our domain for a number of years, and added a filter to our Postini.

In addition, we do not currently, and will never use the eFax services so as an extra precaution I have filtered out any emails with the subject line containing "Corporate eFax message"
Anonymous
Going further into one of the emails.
The original link points to a page on fblikey . zxq . net which sends to:
e-byte . it
http://wepawet.iseclab.org/view.php?hash=a112085a46a1e5c8937180d2dbd8369b&t=1345210501&type=js
ftp . gcuebilliards . com
http://wepawet.iseclab.org/view.php?hash=97bc03e2f5900218d9d6bedb45dced15&t=1345210675&type=js
www . icmciudaddedios . com
http://wepawet.iseclab.org/view.php?hash=7018ceaeb1df9062e4b247b87093dcaf&t=1345210759&type=js
Anonymous
I received one of these yesterday as well.
However, it was detected and blocked by our postini spam filter.
My company is in South Florida.
Anonymous
Symantec Brightmail is blocking as well.
Anonymous
Recieved several of these. the reference number link pointing to an html page on: kohlhauf . de
Ryan

1 Posts
We received a pile of these. Our barracudas would've blocked all of them, except that a previous admin had (sigh) whitelisted the forged from domain 6 or 7 years ago. Oh well. 'Gave me a good excuse to cull out 95% of the whitelist-by-domain rules other admins had entered before my time here.
Brent

109 Posts
I've been using efax for some time, but I wasn't pretty satisfied with the quality of the service, some faxes ware missing, some of them arrived late. For one year I switched to http://www.popfax.com and I feel pretty comfortable with it. Would recommend.
Brent
1 Posts

Sign Up for Free or Log In to start participating in the conversation!