Suspicious eFax Spear Phishing Messages

Chad sent us a report today that they have been receiving strange eFax messages. Users who are using eFax are receiving "spear phishing" emails.

The emails are using the default eFax account (From: eFax <>) and avoiding most corporate SPAM filters. The link contained in this fax is suspicious which redirect to 3 different sites with the same Javascript.

We are looking for additional information that could help us understand if this new "spear phishing" method is widespread. If you have been receiving similar messages or have any tips on how you managed to filter this type of activity, please use our contact form, or share in the comments below.



Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu


528 Posts
ISC Handler
Aug 17th 2012
Wepawet » Report for

Got two here, there's the wepawet for one.

34 Posts
My client's IT dept. sent out an email yesterday morning (Wed 2012-08-15 11:10 EDT) warning about these phishing emails.

133 Posts
Saw one of these yesterday.. so added a sig to block them:




21 Posts
- Recieved 2 of these. One on
Wednesday, August 15, 2012 3:43:45 PM CET
and one on:
Thursday, August 16, 2012 6:56:28 PM CET
- They where only directed at our IT managers email address
- They where blocked by the Spambotcensor rule in our Mailmarshal emailgateway
- first one pointed to
privilege-store . com
second one to
kaskada . tym . cz
Here is what you get if you follow in to the rabbit hole of kaskada . tym . cz:
We also received a heavy amount of these yesterday and today. Luckily I was able to filter them by identifying an email address in the recipient list that has not existed on our domain for a number of years, and added a filter to our Postini.

In addition, we do not currently, and will never use the eFax services so as an extra precaution I have filtered out any emails with the subject line containing "Corporate eFax message"
Going further into one of the emails.
The original link points to a page on fblikey . zxq . net which sends to:
e-byte . it
ftp . gcuebilliards . com
www . icmciudaddedios . com
I received one of these yesterday as well.
However, it was detected and blocked by our postini spam filter.
My company is in South Florida.
Symantec Brightmail is blocking as well.
Recieved several of these. the reference number link pointing to an html page on: kohlhauf . de

1 Posts
We received a pile of these. Our barracudas would've blocked all of them, except that a previous admin had (sigh) whitelisted the forged from domain 6 or 7 years ago. Oh well. 'Gave me a good excuse to cull out 95% of the whitelist-by-domain rules other admins had entered before my time here.

133 Posts
I've been using efax for some time, but I wasn't pretty satisfied with the quality of the service, some faxes ware missing, some of them arrived late. For one year I switched to and I feel pretty comfortable with it. Would recommend.
1 Posts

Sign Up for Free or Log In to start participating in the conversation!