fake eFax message from “0300 200 3835” – 2 page(s) malspam delivers smoke /sharik /dofoil and Trickbot

Fake Anna Mills Baby Bottles Wholesale Limited Copy Credit Note malspam delivers malware
June 10, 2017
What is that you were downloading
June 10, 2017

fake eFax message from “0300 200 3835” – 2 page(s) malspam delivers smoke /sharik /dofoil and Trickbot


An email with the subject of eFax message from “0300 200 3835” – 2 page(s) pretending to come from efax  but actually coming from a look alike domain eFax <message@mail.efaxcorporate254.top>   with a malicious word doc attachment  is today’s latest spoof of a well known company, bank or public authority delivering  Sharik /Smoke /Dofoil Trojan. The last set of these we received also eventually  downloaded Trickbot banking Trojan, although online sandboxes’ didn’t show that. I think it sleeps or delays the download of additional malware for too long for the sandboxes to deal with.

They are using email addresses and subjects that will scare or entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers.

Remember many email clients, especially on a mobile phone or tablet,  only show the Name in the From:  and not the bit in <domain.com >. That is why these scams and phishes work so well.

Efax has not been hacked or had their email or other servers compromised. They are not sending the emails to you. They are just innocent victims in exactly the same way as every recipient of these emails.

What has happened is that the criminals sending these have registered various domains that look like genuine company or Government  domains. They used to register  3 or 4 newly registered domains  that imitate the company or Government department   or some message sending service that can easily be confused with a legitimate organisation in some way that send these. So far today I have found nearly 300 similar domains all based on mail.efaxcorporatexxx.top where xxx is a number from 100-399

mail.efaxcorporate254.top was  registered on 5th June 2017 via publicdomainregistry.com using what are obviously fake  details and hosted on a Russian server Other variants of the domain are hosted on other IPs in the ‘’ –′ and ‘ –’  ranges Other variants of this were registered between 1st and 5th June 2017

I first saw this criminal gang imitating UK government departments or Agencies on April 2017 https://myonlinesecurity.co.uk/spoofed-hmrc-vat-return-and-payment-overdue-malspam-delivers-malware/ but didn’t realise the extent of their activities and the number of domain variants being registered and used

I only realised when we saw  https://myonlinesecurity.co.uk/fake-hmrc-final-payment-request-malspam-delivers-sharik-smoke-trojan/

The criminal gang uses the .top domain service to register & host at least 100 variations of the domain at a time  and use all of them to send malspam that passes all authentication checks. They even go the extent of creating reverse-PTR. Each variant of the domain is on its own IP address. so a lookup of   mail.efaxcorporate254.top  gives and a reverse lookup of  gives mail.efaxcorporate254.top . That shows determination and many legitimate sites don’t do that correctly. They have done this on the entire 100 registered variants of the domain.

The email looks like:

From: eFax <message@mail.efaxcorporate254.top>

Date: Wed 07/06/2017 18:02

Subject: eFax message from “0300 200 3835” – 2 page(s)

Attachment: FAX_20170607_1496754696_302.doc

Body content:


Fax Message [Caller-ID: 0300 200 3835]

You have received a 2 page(s) fax at 2017-06-07 12:10:12 GMT.

* The reference number for this fax is lon1_did28-9874565646-1496754696-302.

Please visit www.efax.com/en/online_fax_FAQ if you have any questions regarding this message or your service.

Thank you for using the eFax service!

Home     Contact     Login

© 2017 j2 Global, Inc. All rights reserved. eFax® is a registered trademark of j2 Global, Inc.

This account is subject to the terms listed in the eFax® Customer Agreement.


Comments are closed.