A new eFax scam email that has just been sent out, telling you that you have a new eFax message, actually links to a malicious site being hosted at places such as kaskada.tym.cz and isolearn.eu/. The full links, in our examples kaskada.tym.cz/feHTCmSa/index.html and isolearn.eu/z02NKnzs/index.html, we believe cause a malicious virus, trojan, or other software to download to your computer (although we have not confirmed this, our own tests suggest this – regardless, it is spam, and a scam, and the links that supposedly go to eFax actually all go to places such as kaskada.tym.cz/feHTCmSa/index.html and isolearn.eu/z02NKnzs/index.html).
The subject of the versions we’ve seen is “Corporate eFax message – 4 pages”, with a “From” address of ‘message@inbound.efax.com’. Each message has a supposed Caller ID number from which the fax supposedly originated, such as 764-625-1188 and 415-323-6414.
Each version so far also references a reference number, with each number being different, but all bearing the line “The reference number for this fax is” followed by the fake reference number.
Here are screen shots, showing that upon hovering over the supposed eFax links, it is actually revealed that the links go to the scam site. Below the screen shots is the full text of the fake mail.
From: message@inbound.efax.com
Subject: Corporate eFax message – 4 pages
Date: August 16, 2012 10:39:49 AM MDTFax Message [Caller-ID: 764-625-1188] You have received a 4 pages fax at 2012-08-16 11:39:19 GMT.
* The reference number for this fax is min1_did01-7298321593-9852971022-71.
View this fax using your PDF reader.
Click here to view this message
Please visit www.eFax.com/en/efax/twa/page/help if you have any questions regarding this message or your service.
Thank you for using the eFax service!
Home Contact Login2011 j2 Global Communications, Inc. All rights reserved.
eFaxŽ is a registered trademark of j2 Global Communications, Inc.
This account is subject to the terms listed in the eFaxŽ Customer Agreement.
Share
Follow Anne
13 Responses to New eFax Scam Email Leads to Malicious Site
Received one today from “message@inbound.efax.com” :
“eFax message from “POTS modem 2 ” – 1 page(s), Caller-ID: 1-630-226-2563″
New incident today, all links resolve to ellensplace.lk/putrefy/index.html
i received one today and don’t know what to do. I thouht it was a fax but it seems that it was a virus. Called Efax and they wouldn’t help (i subscribe to Efax). Not sure what to do to ensure that I am not infected. Tried running Norton but not sure if it detects this virus. Please help me if any of you have advice
Below is the email I received.
Fax Message [Caller-ID: 207-827-3055]
You have received a 8 page(s) fax at Fri, 09 Nov 2012 17:42:00 +0100.
* The reference number for this fax is vlp5_qmq10-2012091117-3372575603-03
To read received fax you need to open a file attached to this letter. It should be opened and run by double clicking on the file name. To view a file in PDF format, you need Adobe Reader, a free application distributed by Adobe Systems or any other free viewer for PDF files.
What is PDF format?
Portable Document Format (PDF) is a file format developed by Adobe Systems. PDF captures formatting information from a variety of desktop publishing applications, making it possible to send formatted documents and have them appear on the recipient’s monitor or printer as they were intended.
Change your file format!
You can change the format you receive your faxes in. Go to your Account section (link to my account) to see other file format options.
Please visit www.eFax.com/en/efax/twa/page/help if you have any questions regarding this message or your service.
Thanks for using the eFax® service!
© 2012 j2® Global Communications, Inc. All rights reserved.
eFax® is a registered trademark of j2® Global Communications, Inc.
This account is subject to the terms listed in the eFax Customer Agreement
Hi I received an email from efax it was in junk mail but I have given out my email to some business to contact me for donations to give for a fundraiser I’m doing anyway thinking maybe it was just one of the business possibly I opened but was on my phone so it said not formatted to open but the link u have highlighted I did select and it took me to th efax FAQ page.. So is this legit I don’t have an efax acct but since it opened to the FAQ pg does that mean its a real efax and what harm can this cause my phone by opening that FAQ page? Thanks
user in my office clicked this, trying to find out impact and cleaning instructions. Thanks in advance
Got one of these today, Oct 19. The links and source code showed URL “searchforcauses.com/WmnQq5Eq/index.html” but clicking actually went to “big-claw-berkut.org/links/selection_ticket-activities.php”.
Checked “searchforcauses.com” in www.unmaskparasites.com and got “web page is clean”. A check in “sitecheck.sucuri.net” found no malware but said the site was “Blacklisted”.
Checked “big-claw-berkut.org” in www.unmaskparasites.com and also got “web page is clean”. A check in “sitecheck.sucuri.net” found no malware and not “Blacklisted”.
Disappointing result since these two web sites have served me well in the past.
Clicking on the fake fax link produced a blank web page and MS Security Essentials popped up a window saying “Detected threats are being cleaned”.
I just received one of these. I didnt open the attachment but I clicked on the web link. Norton blocked it, thank God.
Scam efax notification.
I received one of these Oct 9, 2012. This one has a different link than in your article so thought I’d let you know. (0358095.netsolhost.com/CwwGhu/index.html)
I have kept the email in case you want me to forward it to you for analysis, but it looks much the same as your example.
Good work with this site! – Dan.
just found one of these in my gmail spam box.
damn it, i clicked on one, now what??? waiting for something, now doing a full scan, fingers crossed
i recvd one of these today. in the source code of the email, i found the following:
“This external link will open in a new window” class=”keyescoverage.com/fTWjVg7K/index.html” target=”_blank”>
two new urls to put on your watch list.
thanks for the effort.
ga
They’re getting more sophisticated, hope we are able to conquer this problem
IT admin here – have seen three occurrences of this today.