- Apr 24, 2001
- 5,978
- 474
- 126
Hi folks,
One of my friends just posted this on his FB page. Sounds pretty legit; it looks like malware writers are constantly exploiting new ways to attack unsuspecting victims. Did any of you come across this yet?
This morning, I found a strange message in my email inbox. Here it is:
"Fax Message [Caller-ID: 905-436-2946]
You have received a 1 page fax at 2014-02-13 05:30:20 CDT.
* The reference number for this fax is min1_did13-1329191075-9054362946-49.
View this fax online, on our website : h**p://www.efax[dot]com/fax/fax_view.aspx?fax_id=9054362946
Please visit www.eFax[dot]com/en/efax/twa/page/help if you have any questions regarding this message or your service.
Thank you for using the eFax service! "
(***Please note that I altered the URLs, to avoid contaminated links!)
The message header was strange: "eFax.ca messages@inbound.efax.ca via galeon.timeweb.ru"
That was that was the first red flag: why would a reputable service route through a Russian server? A search for the number 905-436-2946 also revealed that it is assigned to "McAshphalt Industries Limited, 1221 Farewell St., Oshawa ON L1H6N8." That's nowhere near me - in any way, shape or form.
Up until this time, it could all have been a case of spam. I mean, we all know about email spam, and those of us who still have fax machines in the workplace know that every now and then, the machine will spit up some cruise advertisements, offers for professional courses, or even some weapons and ammo wholesale liquidation ads (!)
But this was NOT the case. I'm a curious guy, so I did some further research. I also have a dedicated "sandbox" computer with pretty good (enterprise-level) antivirus and malware protection - which is not something I expect most people would have readily available to them, in a normal household.
Using that machine, I downloaded the supposed fax message. It came as a ".zip" archive file - another red flag, because such documents would usually come as PDFs (pretty much the standard throughout the world).
Unsurprisingly, inside the .zip archive was a MS-DOS file. In simple terms, MS-DOS executables have access to the most basic foundation of the operating system, the skeleton under all the graphic interface. They give you access to the core of the machine, and there's very little showing on the outside. Further examination of the properties revealed text such as "WIN" (Windows), "COM" (communications services) and "INI" (a file used in Microsoft Windows operating environments to store basic settings at boot time).
By this time I recognized what it was, and I didn't have to bother with it any further. Running the damned thing would have been the equivalent of playing with the Ebola virus in a Level 3 laboratory: regardless of all the protection installed on this machine, I have no desire to dive into a pool of malware.
Basically, the mechanism is as follows:
1. The unsuspecting victim receives a seemingly legit email - through an apparently reputable online service! - informing them they received a fax message. People who run small businesses from home, who are looking for work, or who are in constant communication with other individuals or firms are the most likely to take these messages at face value.
2) The victim downloads the archive file and opens it.
3) The attacker gets control of their operating system, and the victim computer becomes a botnet/zombie machine, or a server base for further attacks.
So, there you have it. If you receive ANY messages purporting to be faxes, DO NOT rush to open the attachments! You WILL be very sorry.
*** update***
While I was writing this, I received a new notification of another message, also via eFax. This time, though, my email service intercepted and labeled it as spam, because, in their own words: "We've found that lots of messages from server1.i-be.net are spam."
One of my friends just posted this on his FB page. Sounds pretty legit; it looks like malware writers are constantly exploiting new ways to attack unsuspecting victims. Did any of you come across this yet?
This morning, I found a strange message in my email inbox. Here it is:
"Fax Message [Caller-ID: 905-436-2946]
You have received a 1 page fax at 2014-02-13 05:30:20 CDT.
* The reference number for this fax is min1_did13-1329191075-9054362946-49.
View this fax online, on our website : h**p://www.efax[dot]com/fax/fax_view.aspx?fax_id=9054362946
Please visit www.eFax[dot]com/en/efax/twa/page/help if you have any questions regarding this message or your service.
Thank you for using the eFax service! "
(***Please note that I altered the URLs, to avoid contaminated links!)
The message header was strange: "eFax.ca messages@inbound.efax.ca via galeon.timeweb.ru"
That was that was the first red flag: why would a reputable service route through a Russian server? A search for the number 905-436-2946 also revealed that it is assigned to "McAshphalt Industries Limited, 1221 Farewell St., Oshawa ON L1H6N8." That's nowhere near me - in any way, shape or form.
Up until this time, it could all have been a case of spam. I mean, we all know about email spam, and those of us who still have fax machines in the workplace know that every now and then, the machine will spit up some cruise advertisements, offers for professional courses, or even some weapons and ammo wholesale liquidation ads (!)
But this was NOT the case. I'm a curious guy, so I did some further research. I also have a dedicated "sandbox" computer with pretty good (enterprise-level) antivirus and malware protection - which is not something I expect most people would have readily available to them, in a normal household.
Using that machine, I downloaded the supposed fax message. It came as a ".zip" archive file - another red flag, because such documents would usually come as PDFs (pretty much the standard throughout the world).
Unsurprisingly, inside the .zip archive was a MS-DOS file. In simple terms, MS-DOS executables have access to the most basic foundation of the operating system, the skeleton under all the graphic interface. They give you access to the core of the machine, and there's very little showing on the outside. Further examination of the properties revealed text such as "WIN" (Windows), "COM" (communications services) and "INI" (a file used in Microsoft Windows operating environments to store basic settings at boot time).
By this time I recognized what it was, and I didn't have to bother with it any further. Running the damned thing would have been the equivalent of playing with the Ebola virus in a Level 3 laboratory: regardless of all the protection installed on this machine, I have no desire to dive into a pool of malware.
Basically, the mechanism is as follows:
1. The unsuspecting victim receives a seemingly legit email - through an apparently reputable online service! - informing them they received a fax message. People who run small businesses from home, who are looking for work, or who are in constant communication with other individuals or firms are the most likely to take these messages at face value.
2) The victim downloads the archive file and opens it.
3) The attacker gets control of their operating system, and the victim computer becomes a botnet/zombie machine, or a server base for further attacks.
So, there you have it. If you receive ANY messages purporting to be faxes, DO NOT rush to open the attachments! You WILL be very sorry.
*** update***
While I was writing this, I received a new notification of another message, also via eFax. This time, though, my email service intercepted and labeled it as spam, because, in their own words: "We've found that lots of messages from server1.i-be.net are spam."
Facebook
Twitter