Submit to DiggSubmit to FacebookSubmit to Google PlusSubmit to StumbleuponSubmit to Twitter

Email

Fake eFax Corporate by J2 email claims you have received an x page fax message and it is either attached or on a website with the provided link.

Versions with attached exe in zip trojan, attached malicious html file, or links to malware sites hosting drive-by downloads or exploit kits.

Spoofs efax.com or others in From headers.


Subject: eFax Corporate

Subject: Corporate eFax Message - x pages

Subject: Corporate eFax message from "957-467-6746" - 4 pages

Subject: Corporate eFax message from "unknown" - 3 page(s)

Subject: Corporate eFax message from "788-595-6734" - 3 pages

eFax Corporate

You have received 1 pages fax at 2013-06-24 10:24:18 CST.

* The reference number for this fax is latf1_did11-1498393985-2394295345-38.

Please visit www.efaxcorporate.com/corp/twa/page/customerSupport
if you have any questions regarding this message or your service.
You may also e-mail our corporate support department at corporatesupport @mail.efax.com.

Thank you for using the eFax Corporate service!
Powered by j2
j2 Global | eFax | eVoice | FuseMail | Campaigner | KeepItSafe | OneBox

2013 j2 Global, Inc. All rights reserved.
eFax Corporate is a registered trademark of j2 Global, Inc.

FAX_089081322_3199.zip (137k)

Picture of fake J2 Global Corporate eFax email with virus attached.

Subject:  Corporate eFax message from "536-968-3449" - 4 pages

Fax Message [Caller-ID: 536-968-3449]

You have received a 4 pages fax at 2014-01-04 04:44:44 EST.

* The reference number for this fax is latf1_did11-1748977804-3054029554-28.

View this fax using your PDF reader.

Please visit www.eFax.com/en/efax/twa/page/help if you have any questions regarding this
message or your service.

Thank you for using the eFax service!
Home | Contact | Login |

2013 j2 Global Communications, Inc. All rights reserved.
eFax is a registered trademark of j2 Global Communications, Inc.

This account is subject to the terms listed in the eFax Customer Agreement.

   FAX_6291741_7941724.zip (11)

Picture of the April 2014 version of the fake j2 global corporate efax email with malware.

Fax Message [Caller-ID: 788-595-6734]

You have received a 3 pages fax at 2014-14-05 03:33:33 EST.

* The reference number for this fax is latf1_did11-1334905931-4278108620-91.

Download attachment with the fax using your PDF reader.

Please visit www.eFax.com/en/efax/twa/page/help if you have any questions regarding
this message or your service.

Thank you for using the eFax service!
Home | Contact | Login |

2014 j2 Global Communications, Inc. All rights reserved.
eFax is a registered trademark of j2 Global Communications, Inc.

This account is subject to the terms listed in the eFax Customer Agreement.

 Headers samples:

Sometimes they don't bother spoofing at all. Sometimes they spoof efax.com in From headers, something else like aexp.com in envelope headers.

Received: from host-108-32-220-24.midco.net [24.220.32.108]
X-Envelope-From: fraud @aexp.com
From: eFax Corporate <message @inbound.efax.com>
Subject: Corporate eFax message from "845-457-8996" - 2 pages

Received: from s72-38-236-247.static.wavedirect.net [72.38.236.247]
X-Envelope-From: fraud @aexp.com
From: "eFax Corporate" <message @inbound.efax.com>
Subject: Corporate eFax message from "567-739-3338" - 1 pages

Received: from mail.markusduschek.com [109.73.50.150]
X-Envelope-From: web5 @markusduschek.com
From: "eFax Corporate" <web5 @markusduschek.com>
Subject: Corporate eFax message from "658-958-2222" - 2 pages

Received: from mail1.roiltd.co.uk [84.19.44.74]
X-Envelope-From: fraud @aexp.com
From: eFax Corporate <message @inbound.efax.com>
Subject: Corporate eFax message from "788-593-5645" - 3 pages

Received: from 174.141.120.4.nw.nuvox.net [174.141.120.4]
X-Envelope-From: fraud @aexp.com
From: "eFax Corporate" <message @inbound.efax.com>
Subject: Corporate eFax message from "567-383-7764" - 3 pages

Received: from ABTS-mum-static-192.96.169.122.airtelbroadband.in [122.169.96.192]
X-Envelope-From: fraud @aexp.com
From: eFax Corporate <message @inbound.efax.com>
Subject: Corporate eFax message from "786-559-3883" - 4 pages

Variations:

Subject Line "Efax Corporate".

Attachment "EFAX_Corporate.htm" and the htm has javascript redirects to malicious websites.

Subject Line "Corporate eFax message from "576-555-5364" - 17 page(s)" with random phone number and number of pages.

Subject Line "Corporate eFax message - 1 page(s) fax message, caller ID: 231-744-2544" with random phone number and number of pages.

Sometimes, instead of an attachment, there will be a normal html link that looks like it goes to efaxcorporate, but really goes to some phishing or malicious code website.

Alternate layout, usually for the malware link variation:

Picture of fake J2 Global Corporate eFax email with malware links.


Attachments and Links

Virus Attachment variation:

9 July 2014

 chd_did8-55761798157-27768463314-110.zip containing fax_message.exe

VirusTotal report 

Malwarebytes 	Trojan.Downloader
Qihoo-360 HEUR/Malware.QVM07.Gen

"#upatre" --matthewm

Malwr.com report 

Starts servers listening on 0.0.0.0:0
Performs some HTTP requests
Steals private information from local Internet browsers
Installs itself for autorun at Windows startup

HTTP GETs:
94.23.247.202 /0907ver/HOME/0/51Service%20Pack%203/0/
94.23.247.202 /0907ver/HOME/1/0/0/

Anubis report 

Comodo report 

Deletes self
Injects code into other processes

x3po.awardspace.com /images/VER103.pdf <-- not pdf files
shop.negro-rhygass.ch /css/VER103.pdf

12 June 2014

latf1_did11-881721-86461.zip containing latf1_did11-881721-86461.scr | VirusTotal report | Malwr.com report | Anubis report 

1 April 2014

FAX_6291741_7941724.zip containing FAX_6291741_7941724.exe | VirusTotal report | Malwr.com report | File-Analyzer.net report 

20 February 2014

VirusTotal report File-Analyzer.net report

5 November 2013

VirusTotal report | Malwr.com report

HTML file attachment variation:

Attachment is a .htm file that uses javascript to redirect to malicious download websites like:

 ighjaooru.ru port 8080 / forum/ links/ column.php

Malware Link Variation:

Links to compromised websites like:

00002nd.rcomhost.com /outgoings /index.html
ftp.noroncomas.com /ables /index.html
revivifyministries.com /provably /index.html
capcityasc.com /bruise /index.html
der-schafscherer.de /chroming /index.html
attorneymcbride.com /onetime /index.html
lapergolita.com.ar /hiked /index.html
tvassist.co.uk /positioned /index.html
thewarrealm.org /squint /index.html
attorneymcbride.com /periods /index.html
www.aprasys.com /nuns /index.html
thewarrealm.org /equity /index.html
94.32.66.54 /domes /index.html
der-schafscherer.de /gnaw /index.html
volvoclub.gr /misunderstands /index.html
westchesterrent.com /veeps /index.html
bizwebtechnologies.com /foremasts /index.html
tvassist.co.uk /cultivators /index.html
1954f7e942e67bc1.lolipop.jp /delusions /index.html
ftp.noroncomas.com /fillips /index.html
00002nd.rcomhost.com /evens /index.html
westchesterrent.com /billfold /index.html
westchesterrent.com /outstrips /index.html
1954f7e942e67bc1.lolipop.jp /frisian /index.html
qubitech.com.au /pardon /index.html
www.onmangekoi.mes-sites.com /mildness /index.html
attorneymcbride.com /funded /index.html
tvassist.co.uk /eigenvalue /index.html
revivifyministries.com /bantamweights /index.html

Each loading 3 javascript files like:

ekaterini.mainsys.gr /overspreading /hermaphrodite.js
sisgroup.co.uk /despairs /marveled.js
psik.aplus.pl /christian /pickford.js

Which redirects to something like:

buyfranklinrealty.com /topic/ regard_alternate_sheet.php

 Which runs, usually, some java exploit like Black Hole v2 Exploit Kit.

If this was at least a little helpful, how about a +1 or a Like?

{jcomments on}