I received this message yesterday afternoon (links have been removed, but are shown in blue):
* * *
From: eFax <[redacted]@coderbit.com>
Subject: Corporate eFax message – 9 pages
Fax Message [Caller-ID: 680-973-3656]
You have received a 9 pages fax at Wed, 03 Oct 2012 22:22:19 -1000.
* The reference number for this fax is min1_20121003222219.1055179.
View this fax using your PDF reader.
Click here to view this message
Please visit www.eFax.com/en/efax/twa/page/help if you have any questions regarding this message or your service.
Thank you for using the eFax service!
Home | Contact | Login
© 2011 j2 Global Communications, Inc. All rights reserved.
eFax® is a registered trademark of j2 Global Communications, Inc.
This account is subject to the terms listed in the eFax® Customer Agreement.
* * *
eFax is a real company, and the whole thing looks right, with the footer and all. So how did I know this message was bad news?
By mousing-over the links. I’ve used that term before but I’ve never explained it, so here it is: to mouse over (or mouseover) is to move the cursor (the arrow, usually) on your screen over a link without clicking on it. In most web browsers and email clients, this action will show you where the link actually leads, usually in the lower left corner of the window. If the text of the link says one thing, but the information that shows up when you mouseover, that’s a good indication of foul play.
In this case, every single link was disguised. Here are the links and where they actually led, in order. Do NOT visit any of the sites listed!
- min1_20121003222219.1055179: www.bathroomdesignstafford.co.uk/SAMiMyXq/index.html
- Click here to view this message: gurkan.bae.com.tr/1ttCGhGq/index.html
- www.eFax.com/en/efax/twa/page/help: webview360.net/Zn3VbH/index.html
- Home: egelisanfen.com/v2WPTAhV/index.html
- Contact: christianharfouche.net/Q1uRBnn/index.html
- Login: teknoturkbilisim.com.tr/5UTrCN5/index.html
- eFax® Customer Agreement: happlications.com/phjbPEB/index.html
You’d think a legitimate message from eFax would have at least ONE link that led to eFax.com, wouldn’t you? You’d also think the “from” address would contain “@efax.com.”
Instead, we’ve got web pages from all around the globe, including the UK and Turkey (.tr). Every single one of these pages has likely been compromised with malware.
Word on the street is that the linked sites will try to infect your computer with the BlackHole exploit kit, which takes control of your computer and adds it to a worldwide network of compromised (“zombie”) computers used to traffic illicit data, launder money and other criminal activity.
Like I said, bad news. If you get this message (the number of “pages” in the subject line may be different), don’t click. Delete it on sight.