Chad sent us a report today that they have been receiving strange eFax messages. Users who are using eFax are receiving "spear phishing" emails.

The emails are using the default eFax account (From: eFax <message@inbound.efax.com>) and avoiding most corporate SPAM filters. The link contained in this fax is suspicious which redirect to 3 different sites with the same Javascript.

We are looking for additional information that could help us understand if this new "spear phishing" method is widespread. If you have been receiving similar messages or have any tips on how you managed to filter this type of activity, please use our contact form, or share in the comments below.

[1] http://wepawet.iseclab.org/view.php?hash=dc41d8a1e845994cb01e3223ab51cbf1&t=1345162214&type=js
[2] http://wepawet.iseclab.org/view.php?hash=5c8c6f3205e7aa28bfd32d59f320e069&t=1345162348&type=js
[3] http://wepawet.iseclab.org/view.php?hash=f990f01593e5b603ee319c92f8cf3e94&t=1345162442&type=js

Update 1: What we have learned so far:

• You don't need to be an eFax subscriber to receive these eFax via email. Anyone can be a target
• It appears to be part of a Blackhole Exploit campaign
• The following seems to actively block suspicious eFax: Symantec Enterprise Protection 11, Barracuda and Mailmarshal emailgateway

Update 2:

• Other reports of antispam successfully filtering eFax are: Postini, Proofpoint and Google Apps spam filter
• We received a report that MessageLabs did not block these emails

ISC reader John indicated that he has filtered all Blackhole Exploit style phishing campaigns, including the eFax, FedEx, and AmEx with one simple RegEx:

\.\w{2,4}\/[\d\w]{8}\/index\.html

-----------

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu