This one’s scary since I’m an eFax user. But I was suspicious that it was asking me to click on a link (pointing to a server in Germany) rather than open an attachment. There were lots of warnings in 2010 about fake eFax messages delivering malware. I don’t know what this one does and don’t intend to find out. Here’s what they look like.
Sender: eFax (message@inbound.efax.com)
Subject: Corporate eFax message – 4 pages
Text:
Fax Message [Caller-ID: 369-716-1218]
You have received a 2 pages fax at 2012-08-16 11:76:67 GMT.
* The reference number for this fax is min1_did32-3198092476-7034547233-89.(link points to http://ftp.eutech-scientific.de/ecmYLjPx/index.html)
View this fax using your PDF reader.
Click here to view this message
Please visit www.eFax.com/en/efax/twa/page/help if you have any questions regarding this message or your service.
Thank you for using the eFax service!
A second version said “2 pages” and had a different caller ID and time stamp but pointed to the same site.
Just got this, too, exact same wording. Didn’t click on the links so don’t know where/what would happen. Dying to find out, though.
I got one of these two.. They are directing these toward people in construction industry who will likely open it thinking its an ITB.
Got this also at: Thu 8/16/2012 2:59 PM
Says:
“You have received a 5 pages fax at 2012-08-16 11:29:58 GMT.
* The reference number for this fax is min1_did43-4364554822-9741014547-32.
View this fax using your PDF reader.
Click here to view this message
Please visit http://www.eFax.com/en/efax/twa/page/help if you have any questions regarding this message or your service.
Thank you for using the eFax service!”
Also … do NOT click any of the above links. they are not safe. I probably should have removed the actual URL.
Here is what mine looks like, received this one today. Have never received an eFax before. All 14 recipients were users of Juno IPS. My email address was not on the “To” list, but I received it anyway. Strange.
Fax Message [Caller-ID: 424-348-2457]
You have received a 4 pages fax at 2012-09-13 12:00:10 GMT.
* The reference number for this fax is min1_did74-2882582744-0379950629-79.
View this fax using your PDF reader.
Click here to view this message
Please visit http://www.eFax.com/en/efax/twa/page/help if you have any questions regarding this message or your service.
Thank you for using the eFax service!
nice guys- just spred the virus from your mail to this page….lol
i got the same email maybe because i use efax as my fax provider.
Preston – According to this post, being an eFax customer has no connection with the spam. http://isc.sans.edu/diary.html?storyid=13921 Another report says the messages originate in Russia.
We also have been hit with this email several times this past week. One of my users clicked, and not sure on the impact – any word yet? Thanks much
R Siggy
This report says the links lead to a blackhole exploit kit:
http://stopmalvertising.com/spam-scams/corporate-efax-message-leads-to-blackhole-exploit-kit-2.0.html
If your user got the version that includes an attachment and clicked that, s/he might have installed a Trojan:
http://omniquadsecurityblog.com/2012/08/22/omniquad-warns-j2-global-efax-hoax-email-with-malware-win32trojandownloader/
I’d run a malware scan on the affected computer.
Received and really did not know what to do with. I clicked on the link but nothing happend. Reading above comments I’ll throw it into the “garbage bin” because I don’t anybody sending me 25 pages of fax without prior notice. Does anybody know, if with just clicking the link – without any reaction – a virus or something worse could have been installed?
Fax Message [Caller-ID: 910-597-5011]
You have received a 25 pages fax at Wed, 24 Oct 2012 12:02:45 +0900.
* The reference number for this fax is [eFAX-6C97CD323544212DA749].
View attached fax using your PDF reader.
Please visit http://www.eFax.com/en/efax/twa/page/help if you have any questions regarding this message or your service.
Thank you for using the eFax service!
Heinz: Better safe than sorry. Run a malware scan and see what it tells you. I use Avast and Malwarebytes — they’re free.
Guys,
What is best to block (IP/Domain) for users to stop receiving this spam? i blocked the IP and my users received the same things from another Address!!!!
Spammers use IPs all over the world, so blocking them one by one isn’t a good strategy. If you run a mail server you could subscribe to a spam blackhole service like spamhaus or spamcop, or ask your ISP to do so. Or try Google Apps as your mail server, which has very effective spam filters. I prefer to use spambayes to filter out spam.
Just got one today!! Thanks 4 the heads up!
we got a bunch today, and we use Postini (Google Apps).
also:
http://technology.pitt.edu/2012-11-07-phish.html
I got some new ones too. Unlike the others, these had poorly formed HTML, so they looked like plain text followed by HTML code. Here’s the first few lines of one:
You have received a 6 page fax at Tue, 6 Nov 2012 19:00:47 +0100.* The reference number for this fax is dwm2_wad73-9763199729-5415799198-15.Click the following link to view this message: efaxcorporate.com/corp/twa/View?returnPageKey=6773916255 Please visit efaxcorporate.com/corp/twa/page/customerSupport if you have any questions regarding this message or your service. You may also e-mail our corporate support department at corporatesupport@mail.efax.com.Thank you for using the eFax Corporate service! © 2012 j2 Global, Inc. All rights reserved.eFax CorporateĀ® is a registered trademark of j2 Global, Inc.This account is subject to the terms listed in the eFax Corporate Customer Agreement.
————–05060500507030807020603
Content-Type: text/html; charset=”UTF-8″
Content-Transfer-Encoding: 8bit
Content-Disposition: inline
I also got an even lamer version. This one doesn’t look remotely like a real eFax message and the hyperlink looks like it won’t go anywhere (it leads to {} — that’s right, two brackets ).
Here’s what it looks like:
Sender: Incoming Fax [message@inbound.efax.com]
Subject: INCOMING FAX REPORT : Remote ID: 5646524085
Text:
Hi,
Just got this today at work, but instead of a link there is an attached zip file. The email looks fine, complete with eFax logo, etc. Have not opened it yet. Is it legit or not? Assuming not, but you never know.
Thanks!
Stacey — eFax doesn’t send zip files, they send .efx attachments. So if it’s a zip file it’s fake.
If you’re still not sure, look at the message header. I just sent myself a test eFax and the header shows:
Received: from stl1.efax.com (stl1.efax.com. [66.179.42.117])
In contrast, one of the many fake eFax messages I’ve received shows:
Received: from smtp1.red-sky.pl ([75.126.168.168])
If you’re still not sure, you can upload the attachment to an online virus scanner like http://virusscan.jotti.org/en
Robert
One of my fellow coworkers received this email with the attached zip file that Stacey was referring to. This computer is used to do a high velocity of work and for some reason the executable (which is qifwoqsiqulc.ecc) keeps popping up and asking for various passwords such as the mail server password for Outlook. Any ideas on how to stop this from happening and also to make sure that the virus is gone? We deleted the executable once and it ended up coming back.
Gary,
I haven’t had to remove the virus. Have you tried MalwareBytes? Here’s an article that might help: http://www.wintips.org/remove-zbot-trojan-efax-corporate-spam-message/
Received this today and thankfully I found this message board before clicking:
You have received 2 pages fax at 2013-08-29 10:24:18 CST.* The reference number for this fax is latf1_did11-1743639951-4211475041-44.Please visit www dot efaxcorporate dot com/corp/twa/page/customerSupport if you have any questions regarding this message or your service. You may also e-mail our corporate support department at corporatesupport@mail.efax.com. Thank you for using the eFax Corporate service! 2013 j2 Global, Inc. All rights reserved.eFax Corporate is a registered trademark of j2 Global, Inc.
eFax Corporate
You have received 2 pages fax at 2013-08-29 10:24:18 CST.
* The reference number for this fax is latf1_did11-1743639951-4211475041-44.
Please visit www dot efaxcorporate dot com/corp/twa/page/customerSupport if you have any questions regarding this message or your service. You may also e-mail our corporate support department at corporatesupport@mail.efax.com.
Thank you for using the eFax Corporate service!
Powered by j2
j2 Global | eFax | eVoice | FuseMail | Campaigner | KeepItSafe | OneBox
2013 j2 Global, Inc. All rights reserved.
eFax Corporate is a registered trademark of j2 Global, Inc.
I shared one of these emails with eFax to ask how to spot it as fake. Their response was that eFax sends a PDF files of the received fax to users – NOT a link to follow.
I just got one that looked very convincing, especially considering there was an attachment rather than a link. (It was a .zip.) Header has it coming from message@inbound.j2.com, and all the fine print verbiage is there (much like Gina’s quoted above).
Just to be safe, I didn’t open the attachment, but rather logged into my eFax account and looked at my Inbox, and there was no item there corresponding to the date of receipt (4-1-2014). So I’m assuming this was spam and malware, and that I’m better off not opening the attachement.