Threat Level: green Handler on Duty: Kevin Liston

SANS ISC: efax Spam Containing Malware - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
efax Spam Containing Malware

Beware of efax that may come to your email inbox. This week I receive my first efax spam with a source address of "Fax Message [message@inbound.efax.com]" which contained a link to www.dropbox.com that contained malware. The link has since been removed.


efax Spam

On efax's website, the indicate that you are receiving fax spam to submit the fax via to online form and they "will attempt to prevent further transmission of junk faxes from the source.[2]

[1] http://www.efax.com/help/faq
[2] http://www.efax.com/privacy?tab=reportSpam

-----------

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu

Guy

424 Posts
ISC Handler
Would you mind sharing the hash of malware involved? One of these hit my mail server from a Tampa, FL, Verizon FIOS on 28 May, but by the time I had a chance to review the spoofed email, the email's DropBox link had been taken down/disabled.

Thanks
Anonymous
Posts
Edited, dupe post
Anonymous
Posts
Been seeing a few dropbox linked malware, Bank ones too...

http://blog.dynamoo.com/2014/05/fake-natwest-email-downloads-malware.html

ClamAV Sanesecurity signatures are blocking them...
http://sanesecurity.com/
Sanesecurity

21 Posts Posts
I no longer have the hash for this file and the link is now dead. The link was:

https:// www[dot]dropbox[dot]com/meta_dl/eyJzdWJfcGF0aCI6ICIiLCAidGVzdF9saW5rIjogZmFsc2UsICJzZXJ2ZXIiOiAiZGwuZHJvcGJveHVzZXJjb250ZW50LmNvbSIsICJpdGVtX2lkIjogbnVsbCwgImlzX2RpciI6IGZhbHNlLCAidGtleSI6ICJpcWVxeDdocmpobnJpeHoifQ/AANvZsHohmMz8XZLiCizpVrbOVy_Unf1bJ2NSGSwCy9E5w?dl=1
Guy

424 Posts Posts
ISC Handler
What's the point of submitting a spam report to eFax.com? The email didn't originate from their systems.
Andrew

1 Posts Posts
Several users of my company received the exact same email (verified the link was 100% equal), and fell for it.
It ended up being cryptolocker.
We are now implementing the protections in a reactive way.
Andrew
4 Posts Posts
The malware being dropped in these samples was CryptoWall. I did a deep-dive into their infrastructure here:

http://phishme.com/inside-look-dropbox-phishing-cryptowall-bitcoins/

Let me know if you need the malware sample.

Regards,

--Ronnie
@iHeartMalware
Andrew
2 Posts Posts
One thing to keep in mind is these messages are not coming from eFax servers; there is very little eFax can do to stop these messages.

BTW one of my users here at the office got hit by one of these... at least one of the playloads was CryptoLocker.
Andrew
3 Posts Posts
Nice, thanks, Ronnie. Your interesting analysis was so thorough that it sufficiently quenched my thirst for the sample. Still, posting a hash would be appreciated.
Anonymous
Posts
Interesting. A handful of my users received this today claiming to be a voicemail. Testing shows the link is not valid.

----------------
From: Voice Mail [mailto:voicemail_sender@voicemail.com]
Sent: Tuesday, June 10, 2014 8:29 AM
To: [REDACTED]
Subject: [BULK] voice message from 765-398-7466 for mailbox 215
Importance: Low

You have received a voice mail message from 765-398-7466 Message length is 00:00:33. Message size is 290 KB.

Download your voicemail message from dropbox service (Dropbox Inc.):

https://www.dropbox.com/meta_dl/eyJzdWJfcGF0aCI6ICIiLCAidGV.....
----------------
Anon

1 Posts Posts
eFax could implement DMARC and eliminate spoofed mails.
HackerHater

6 Posts Posts

Sign Up for Free or Log In to start participating in the conversation!