Industry News

Fax notification email aims to infect your PC

Phot credits: Pixabay / uveX

Computer users have often been warned to be wary of opening unsolicited email attachments because of the risk of malware infection, and yet many continue to be infected via precisely this method.

In other words, the malicious hackers attempting to infect your PC don’t need to take advantage of any zero-day exploits in your software, all they need to do is concoct the right camouflage for their email to fool you into clicking without thinking.

One of the most common disguises seen in spammed-out malware campaigns in recent years is that of the “incoming fax”.

Now, if you’re anything like me, then chances are that you no longer find yourself regularly interacting with a fax machine, but that doesn’t mean that fax machines have entirely disappeared.

Fax machines today are often connected to business networks, and give you the ability to send faxes just as simply as sending an email message, and they also allow you to receive faxes from the outside world directly in your email inbox.

And that’s why you need to be on your guard for attacks like the one I found in my inbox this week.

fax-malware

Subject: You have received a new fax, document 00319563

Attached file: scan_00319653.zip

Message body:

You have a new fax!

Please download attached fax document.

Scanned: Mon, 26 Oct 2015 03:02:15 +0300
Scan duration: 12 seconds
Resolution: 400 DPI
File name: scan_00319563.doc
Number of pages: 12
Scanned by: Arthur Lawson
Filesize: 137 Kb

Thank you for using Interfax!

Of course, it’s possible that the precise wording and details may be different in any samples that you might see.

So, the big question is – would you click on the attachment to open the ZIP file?

Hopefully you would be more cautious than that, but if you were to investigate the alleged fax you would find a file inside with a .DOC.JS double-extension.

The file, which contains malware detected by Bitdefender as JS:Trojan.JS.Downloader.AR, exploits the age-old problem of how Windows handles files with more than one extension. It probably seemed like a good idea to Bill Gates once, but the truth of the matter is that for many years criminals have been taking advantage of the fact that Windows will, by default, hide the last extension of files.

Malware authors take advantage of this fact by giving their creations more than one extension. For instance, .DOC.JS, in order to disguise the real contents of the file.

A classic example of this is the Love Bug worm which spread in May 2000, using a file called LOVE-LETTER-FOR-YOU.txt.vbs. Recipients receive the Love Bug email and mistook it for a harmless text file rather than a potentially dangerous Visual Basic Script.

In this case the JS file is double-obfuscated, in an attempt to hide its true purpose from computer users. However, once decrypted it becomes clear that it attempts to reach three separate domains on the web (one presumes of hacked websites) in order to download further malware onto users’ computers.

Bitdefender researchers have identified that the malware which is downloaded relates to Boaxxe/Miuref (detected by Bitdefender as Trojan.GenericKD.2827496), CoreBot (detected as Gen:Variant.Kazy.759022), and Jaik (detected as Gen:Variant.Jaik.9143).

It should go without saying that keeping the security of your computer up-to-date is an important defence in the fight against malware attacks, but so is best practice and common sense.

If you’re not expecting a fax, and if you don’t recognise fax notifications like the one used in this attack as technology running on your network, then you should instantly be suspicious and not make life easy for the hackers.

Sadly there are many others out there who might fall for malicious campaigns like this. Just don’t let your computer be the next malware casualty.

Thanks to Bitdefender senior analyst Bogdan Botezatu for his assistance with this article.

About the author

Graham CLULEY

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.

13 Comments

Click here to post a comment

  • I use MailScanner on my linux servers.
    Viruses and executable files even in archives have no hope of getting through to me or my clients.
    Doesn”t every email provider use this or similar to eliminate these threats so users never see them?

  • Thank you, Graham. I have had notification of three of these emails this morning. Happily all intercepted and killed, but a timely warning.

  • I clicked — finally something fooled me. I checked whether Interfax was legit and it seemed to be. Then clicked. Message looks exactly as you describe. Is my IPad going to blow up? ( asks a usually suspicious but sucker-this-time senior ):).

  • Obviously, if you aren’t expecting any faxes and you receive an emailed fax, you should be suspicious, but what if you DO regularly receive emails and you receive something like this that you weren’t expecting? What then? I have a travel agency…probably one of the FEW businesses that does still utilize fax machines for transmitting sensitive documents like passport information. I get faxes all the time, but I’ve recently started receiving unsolicited faxes from InterFax that look just like the one you wrote about. How is a business owner supposed to figure out if it is legit or not without opening it?

  • So glad this article posted. I just received that “interfax” message and didn’t want to open until I did a little research. I could not find any dirt on the company but when I put the full sentence that I received it and it says to open attachment I found this article. It is the same email that the article describes.
    Thank you for posting!

  • So, how would someone go about fixing their pc if they did have a momentary lapse in judgement and clicked the file thus totally wreaking havoc on their entire system…?

  • Received several emails in 2 days with the same scam. After execution, the js file would send several GET requests to compromised websites, downloading .gif files and executing them as .exe . For more details, you can check my writeup on the scam.

  • Interfax is not safe. I received a fax for the first time and was leery. I tried opening it but windows blocked it and told me it was a malicious fax.
    I have no idea how the sender even got my address as the name was not familiar.
    Being in business I thought it was from a potential client. I was wrong.
    At least Windows recognized what it really was and saved my computer from who knows what.

  • I received this exact email message directed to my private email address yesterday. This is an address that’s never been spammed, since I closely guard it & never use it online when filling out forms or registering on sites. I’m a computer repair tech who mostly just cleans up infected machines, so I knew better than to open the attachment. Still, I was curious as to where the email originated, so I saved it to a folder, scanned it with Avast, then Malwarebytes, and no infections were found! Perhaps this is why some people open these things, thinking once they’ve been found clean that they’re not malicious–or that since their incoming email is always scanned by their antivirus program then it must be clean. Not until I searched online, putting the full email subject in quotation marks, did I find any information regarding an infection/Trojan. Thanks for the good article, and for the reminder to never open these types of messages.

  • Thanks for posting this. I work in the healthare industry, where faxing is still the preferred way to transmit data between providers. I received one of these today and only checked around online because I hadn’t heard of interfax, and because there was no origin phone number in the email (When is that not a part of the message when using online faxes? The answer is never). Anyway, thanks for verifying what my gut was telling me…DELETE!

  • Are Mac’s vulnerable to this as well ?

    And is interfax.net a legitimate organisation ?
    None of their support email as given on the site seems to exist.

  • I get a lot of faxes at my business and downloaded this zip file. However, when it was in the “extract file” folder, I noticed it was a java script file, and promptly deleted it prior to unzipping. Whats the bad news for me, or am i safe? Avast did not find anything on a scan, but I have the free version and hope they didn’t just miss it?