eFax Spam Email Malware Alert

Feb 25 2015 Alert: We're blocking new "eFax Report" spam this week. If you see one, do NOT click the link in the email. Click here to read the new blog article.

A new wave of eFax spam was detected and immediately blocked yesterday by Spamalyzer and our threat analysts. One of the links in the message goes to a Dropbox file that likely contains a virus or other malware. Today we're seeing the same campaign, but in the form of fake payment notices from American Express and Citibank.

How eFax Malware Spam Works

Here's how it works. eFax is a popular digital fax service. Incoming faxes are usually formatted as PDF files that can be downloaded to read.

Scammers exploit this by sending fake emails that look like they are from eFax, with a link to a dangerous file. They want you to think the file is an incoming fax, so you'll download and "open" it. Don't do it.

The campaign we detected yesterday looks somewhat real unless you investigate further, like we did. Here's a screen capture:

eFax Spam with a Dropbox Link

eFax Spam with a Dropbox Link to a Dangerous Zip File

The logos look decent, as does much of the text. Some of the links (e.g., to efax.com) are even legitimate. But the link the scammer wants you to click goes to a zip file in a Dropbox account. Do not click the link. The zip file likely contains a virus or other dangerous malware that could do serious harm to your computer and/or network.

As I mentioned above, today we're seeing and blocking a variation on the campaign. This time, the emails look like notices from American Express and Citibank. As with the eFax variation, they include a link to a dangerous file in a Dropbox account.

How We Detected and Blocked It

Our 24/7/365 threat analysts constantly update our database to keep up with new threats. They can identify spam like this campaign very quickly and block it. Instead of relying solely on blocking "click-me" links or Bayesian Heuristics, we have additional filters to ensure that sophisticated spam campaigns like this are blocked. That includes what we call "phrase" filters, which blocks based on complete phrases that we know would never occur in legitimate email.

Our threat analysts saw and blocked this campaign within moments by constructing complex phrase filters. We did not block it based on the click-me link because the Dropbox account that it links to is probably legitimate. The spammer probably hacked into the account (maybe by getting the login credentials from a prior phishing scam) and then uploaded the malicious zip file.

For More Info

SpamStopsHere works differently from other anti-spam programs. It blocks 99.5% of spam while delivering over 99.999% of legitimate emails. That means we block fewer that 1 out of 100,000 good emails, which is why businesses and professionals love our service.

Our spam review team, along with our proprietary Spamalyzer 3.0, analyzes and blocks email threats for our customers 24/7/365. That's a claim almost no other antispam provider can make.

Click here for more about SpamStopsHere and our 24/7/365 live support

"eFax", "Dropbox", "American Express", "Citibank" and other marks are properties of their respective owners. This article is for informational purposes. No endorsement by third parties is implied and none should be inferred.