Suspicious eFax Spear Phishing Messages

Published: 2012-08-17
Last Updated: 2012-08-17 23:17:01 UTC
by Guy Bruneau (Version: 3)
12 comment(s)

Chad sent us a report today that they have been receiving strange eFax messages. Users who are using eFax are receiving "spear phishing" emails.

The emails are using the default eFax account (From: eFax <message@inbound.efax.com>) and avoiding most corporate SPAM filters. The link contained in this fax is suspicious which redirect to 3 different sites with the same Javascript.

We are looking for additional information that could help us understand if this new "spear phishing" method is widespread. If you have been receiving similar messages or have any tips on how you managed to filter this type of activity, please use our contact form, or share in the comments below.

[1] http://wepawet.iseclab.org/view.php?hash=dc41d8a1e845994cb01e3223ab51cbf1&t=1345162214&type=js
[2] http://wepawet.iseclab.org/view.php?hash=5c8c6f3205e7aa28bfd32d59f320e069&t=1345162348&type=js
[3] http://wepawet.iseclab.org/view.php?hash=f990f01593e5b603ee319c92f8cf3e94&t=1345162442&type=js

Update 1: What we have learned so far:

  • You don't need to be an eFax subscriber to receive these eFax via email. Anyone can be a target
  • It appears to be part of a Blackhole Exploit campaign
  • The following seems to actively block suspicious eFax: Symantec Enterprise Protection 11, Barracuda and Mailmarshal emailgateway

Update 2:

  • Other reports of antispam successfully filtering eFax are: Postini, Proofpoint and Google Apps spam filter
  • We received a report that MessageLabs did not block these emails

ISC reader John indicated that he has filtered all Blackhole Exploit style phishing campaigns, including the eFax, FedEx, and AmEx with one simple RegEx:

\.\w{2,4}\/[\d\w]{8}\/index\.html

-----------

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu

Keywords: eFax Spear Phishing
12 comment(s)

Comments

Wepawet » Report for kaskada.tym.cz:
http://wepawet.iseclab.org/domain.php?hash=e18becb2e0d81d7dfedf5510aaad4268&type=js

Got two here, there's the wepawet for one.
My client's IT dept. sent out an email yesterday morning (Wed 2012-08-15 11:10 EDT) warning about these phishing emails.
Saw one of these yesterday.. so added a sig to block them:

Sanesecurity.Malware.20030.WebHeur.1608

Cheers,

Steve
sanesecurity.com
- Recieved 2 of these. One on
Wednesday, August 15, 2012 3:43:45 PM CET
and one on:
Thursday, August 16, 2012 6:56:28 PM CET
- They where only directed at our IT managers email address
- They where blocked by the Spambotcensor rule in our Mailmarshal emailgateway
- first one pointed to
privilege-store . com
http://wepawet.cs.ucsb.edu/view.php?hash=8bc7f13513323231096c41bac22a3c49&t=1345039504&type=js
second one to
kaskada . tym . cz
https://wepawet.cs.ucsb.edu/view.php?type=js&hash=3496c292a5f944f1bfcdf2ad58ac5cb3&t=1345192961
Here is what you get if you follow in to the rabbit hole of kaskada . tym . cz:
https://www.virustotal.com/file/1e29dc7ab037556a8641d58b44a31d69a6b0c8754747fa123ffe88afafede2c0/analysis/1345194513/
https://www.virustotal.com/file/c297a57886168d19d773fa8421ceca88f00374333b4576a0e8d34b14652c5e46/analysis/1345194610/
https://www.virustotal.com/file/2a4e422acc37c16837cc9a5403124b9b328c19ab110068ac1f2ad9a96f929acb/analysis/
https://www.virustotal.com/file/2fb4a11072665f7f3bfc8da3488eb58c29f24ea7507ee0d379b8fba69038e474/analysis/
https://www.virustotal.com/file/11ec1fbbc53f01332fcdbb830db22a230ce06a5992810865581190d8ff54826c/analysis/1345194972/
https://www.virustotal.com/file/a981894f61980891382e743cd248ffece4465719cba69e6b87f31c02b364e03b/analysis/1345195157/
https://www.virustotal.com/file/55d579dc03197ab6f4374976bfac78ed79d3804cb3414dab26283d85a17d8dbd/analysis/
https://www.virustotal.com/file/75957738b99f4d226698d50849ceef0637a071a3be169afe98ac8fb240b2e8d1/analysis/
We also received a heavy amount of these yesterday and today. Luckily I was able to filter them by identifying an email address in the recipient list that has not existed on our domain for a number of years, and added a filter to our Postini.

In addition, we do not currently, and will never use the eFax services so as an extra precaution I have filtered out any emails with the subject line containing "Corporate eFax message"
Going further into one of the emails.
The original link points to a page on fblikey . zxq . net which sends to:
e-byte . it
http://wepawet.iseclab.org/view.php?hash=a112085a46a1e5c8937180d2dbd8369b&t=1345210501&type=js
ftp . gcuebilliards . com
http://wepawet.iseclab.org/view.php?hash=97bc03e2f5900218d9d6bedb45dced15&t=1345210675&type=js
www . icmciudaddedios . com
http://wepawet.iseclab.org/view.php?hash=7018ceaeb1df9062e4b247b87093dcaf&t=1345210759&type=js
I received one of these yesterday as well.
However, it was detected and blocked by our postini spam filter.
My company is in South Florida.
Symantec Brightmail is blocking as well.
Recieved several of these. the reference number link pointing to an html page on: kohlhauf . de

Diary Archives