Tag Archives: botnet

Email Scam/Malware Alert: “Corporate eFax message”

I received this message yesterday afternoon (links have been removed, but are shown in blue):

*   *   *

From: eFax <[redacted]@coderbit.com>
Subject: Corporate eFax message – 9 pages

Fax Message [Caller-ID: 680-973-3656]

You have received a 9 pages fax at Wed, 03 Oct 2012 22:22:19 -1000.

* The reference number for this fax is min1_20121003222219.1055179.

View this fax using your PDF reader.

Click here to view this message

Please visit www.eFax.com/en/efax/twa/page/help if you have any questions regarding this message or your service.

Thank you for using the eFax service!

Home | Contact | Login

© 2011 j2 Global Communications, Inc. All rights reserved.

eFax® is a registered trademark of j2 Global Communications, Inc.

This account is subject to the terms listed in the eFax® Customer Agreement.

*   *   *

eFax is a real company, and the whole thing looks right, with the footer and all. So how did I know this message was bad news?

By mousing-over the links. I’ve used that term before but I’ve never explained it, so here it is: to mouse over (or mouseover) is to move the cursor (the arrow, usually) on your screen over a link without clicking on it. In most web browsers and email clients, this action will show you where the link actually leads, usually in the lower left corner of the window. If the text of the link says one thing, but the information that shows up when you mouseover, that’s a good indication of foul play.

In this case, every single link was disguised. Here are the links and where they actually led, in order. Do NOT visit any of the sites listed!

  1. min1_20121003222219.1055179: www.bathroomdesignstafford.co.uk/SAMiMyXq/index.html
  2. Click here to view this message: gurkan.bae.com.tr/1ttCGhGq/index.html
  3. www.eFax.com/en/efax/twa/page/help: webview360.net/Zn3VbH/index.html
  4. Home: egelisanfen.com/v2WPTAhV/index.html
  5. Contact: christianharfouche.net/Q1uRBnn/index.html
  6. Login: teknoturkbilisim.com.tr/5UTrCN5/index.html
  7. eFax® Customer Agreement: happlications.com/phjbPEB/index.html

You’d think a legitimate message from eFax would have at least ONE link that led to eFax.com, wouldn’t you? You’d also think the “from” address would contain “@efax.com.”

Instead, we’ve got web pages from all around the globe, including the UK and Turkey (.tr). Every single one of these pages has likely been compromised with malware.

Word on the street is that the linked sites will try to infect your computer with the BlackHole exploit kit, which takes control of your computer and adds it to a worldwide network of compromised (“zombie”) computers used to traffic illicit data, launder money and other criminal activity.

Like I said, bad news. If you get this message (the number of “pages” in the subject line may be different), don’t click. Delete it on sight.

Virus Alert: “Your internet access is going to get suspended.” (ICS Monitoring Team)

This email has been around for at least a couple years. Full text:

From: ICS Monitoring Team
Sent: Tuesday, February 09, 2010 2:48 AM
To: [email address]
Subject: Your internet access is going to get suspended

Attachment: report.zip

Your internet access is going to get suspended

The Internet Service Provider Consorcium was made to protect the rights of software authors, artists.
We conduct regular wiretapping on our networks, to monitor criminal acts.

We are aware of your illegal activities on the internet wich were originating from

You can check the report of your activities in the past 6 month that we have attached. We strongly advise you to stop your activities regarding the illegal downloading of copyrighted material of your internet access will be suspended.

Sincerely
ICS Monitoring Team

If you get this message, or anything similar, delete it immediately, and whatever you do, don’t open that attachment. It’s a virus.

I don’t know exactly what sort of malware is attached, but if I had to guess, I would assume it contained some form software that could be used to remotely gain control of your computer. These “zombie computers” can then be used as part of a “botnet” to commit other crimes. In fact, a search for “ICS Monitoring Team” returned at least one link that appeared to be software that would allow you to remotely control other computers on a network.

They were really going for the jugular with this one, weren’t they? The fact is, a lot of people download copyrighted material, so they’ve got a lot of potential victims. Your first reaction upon reading something like this would probably be a small jolt of panic, whether you’ve been downloading stuff or not. The social engineering angle here is as brilliant as the grammar and spelling are execrable. “Consorcium?” Really?

Whatever you’ve been getting up to online, this message isn’t related to it. It’s just another attempt to infect computers with some kind of bad juju. I’m not saying you should keep ripping off copyright holders. Sometimes those BitTorrents are infected with stuff, too. And remember that one kid the entire music industry practically wanted to execute nine or ten years ago? People run into trouble that way.

However, if you do get caught, most likely your Internet service provider will just shut you down with very little explanation beyond “terms of service violations.” Some third party isn’t going to be given that power, at least not in the run-of-the-mill instances.