An email with the subject of eFax message from “0300 200 3835” – 2 page(s) pretending to come from efax but actually coming from a look alike domain eFax <email@example.com> with a malicious word doc attachment is today’s latest spoof of a well known company, bank or public authority delivering Sharik /Smoke /Dofoil Trojan. The last set of these we received also eventually downloaded Trickbot banking Trojan, although online sandboxes’ didn’t show that. I think it sleeps or delays the download of additional malware for too long for the sandboxes to deal with.
They are using email addresses and subjects that will scare or entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers.
Remember many email clients, especially on a mobile phone or tablet, only show the Name in the From: and not the bit in <domain.com >. That is why these scams and phishes work so well.
Efax has not been hacked or had their email or other servers compromised. They are not sending the emails to you. They are just innocent victims in exactly the same way as every recipient of these emails.
What has happened is that the criminals sending these have registered various domains that look like genuine company or Government domains. They used to register 3 or 4 newly registered domains that imitate the company or Government department or some message sending service that can easily be confused with a legitimate organisation in some way that send these. So far today I have found nearly 300 similar domains all based on mail.efaxcorporatexxx.top where xxx is a number from 100-399
mail.efaxcorporate254.top was registered on 5th June 2017 via publicdomainregistry.com using what are obviously fake details and hosted on a Russian server 220.127.116.11. Other variants of the domain are hosted on other IPs in the ‘’18.104.22.168 – 22.214.171.124′ and ‘126.96.36.199 – 188.8.131.52’ ranges Other variants of this were registered between 1st and 5th June 2017
I first saw this criminal gang imitating UK government departments or Agencies on April 2017 https://myonlinesecurity.co.uk/spoofed-hmrc-vat-return-and-payment-overdue-malspam-delivers-malware/ but didn’t realise the extent of their activities and the number of domain variants being registered and used
I only realised when we saw https://myonlinesecurity.co.uk/fake-hmrc-final-payment-request-malspam-delivers-sharik-smoke-trojan/
The criminal gang uses the .top domain service to register & host at least 100 variations of the domain at a time and use all of them to send malspam that passes all authentication checks. They even go the extent of creating reverse-PTR. Each variant of the domain is on its own IP address. so a lookup of mail.efaxcorporate254.top gives 184.108.40.206 and a reverse lookup of 220.127.116.11 gives mail.efaxcorporate254.top . That shows determination and many legitimate sites don’t do that correctly. They have done this on the entire 100 registered variants of the domain.
The email looks like:
From: eFax <firstname.lastname@example.org>
Date: Wed 07/06/2017 18:02
Subject: eFax message from “0300 200 3835” – 2 page(s)
Fax Message [Caller-ID: 0300 200 3835]
You have received a 2 page(s) fax at 2017-06-07 12:10:12 GMT.
* The reference number for this fax is lon1_did28-9874565646-1496754696-302.
Please visit www.efax.com/en/online_fax_FAQ if you have any questions regarding this message or your service.
Thank you for using the eFax service!
Home Contact Login
© 2017 j2 Global, Inc. All rights reserved. eFax® is a registered trademark of j2 Global, Inc.
This account is subject to the terms listed in the eFax® Customer Agreement.