« Beware of funeral notice email scam leading to malware | Blog Home | New Phishing scam targeting American Express card holders »

Bookmark and Share

Beware of an email scam spoofing faxes from Ring Central

January 21, 2014

Today's article is about a long established email scam that claims to deliver a fax or faxes inside an attached file. Last year, the majority of these scams pretended to come from eFax, which is a well established fax to email provider. However, the current batch are now spoofing RingCentral as the sender.

The emails that are spoofing RingCentral all have a similar construction to this recent spam message:


From: "Ralph Brock" <[email protected]>
Subject: New Fax Message on 01/15/2013

Body (plain) text:

You Have a New Fax Message
From: (607) 009-4357
Received: Wednesday, January 15, 2014 at 11:34 AM
Pages: 4
To view this message, please open the attachment.
Thank you for using RingCentral.


In this case the attached file was simply named "fax.zip" which contained a .exe Trojan installer.

Messages like this are mostly targeting businesses, many of whom do business using fax exchanges. The goal in these instances is to install information stealing malware onto networked computers. The opportunity for cyber thieves is tremendous if they can get a key person to open such a file and allow it to be installed onto her or his office computer. Company secrets as well as bank accounts are stolen this way every day.

While businesses are the primary target, home users are also exploited by the banking or extortion Trojans often incorporated into the downloaded packages. You see, the first step in the infection if to install a downloader that works in the background. You don't normally see what it is doing until it is too late. Once the downloader is installed it assesses the computer for not only its hardware, but also the user privileges, other accounts, and if it is part of a network.

This report is sent back to the cyber criminals who are behind that particular spam run. The nature of the system report can alter the next delivery to be more useful based on whether it is a home user or a networked business system. A home user with just one PC connected to a cable modem might be targeted with something like the CryptoLocker ransomware that encrypts valuable file types and demands a payment in Bitcoins, or WebMoney to decrypt them. Or, sometimes fake anti-virus may be installed and a scan will lie about finding all manner of threats that can only be removed at a cost.

In virtually every case of these malware attachment infections, a remote access Trojan (a.k.a. RAT) component is installed, often incorporating what is called a "rootkit" or "bootkit." This component receives instructions and transmits requested data back to the servers controlled by the criminals running the operation. The infected computer then becomes part of a remote controlled network of compromised computers, which is known as a "botnet."

Computers in a botnet are said to be "botted." They are used as zombies that may lie in wait of instructions, acting normally for all appearances. But, when the "Mothership" controller sends a command to those computers, they wake up and do the bidding of the Bot Master. That bidding may be to turn a botted computer into a spam machine, or may order it to join an online attack against a business, personal, or Government website. Often, botted computers are rented out to host spam web pages, or to host malicious code that exploits the computers of innocent people who are tricked into clicking on poisoned links in email or instant messenger messages, or on compromised Facebook and Twitter accounts

What you can do to to avoid becoming another victim of this scam.

Home users who do not normally uses online fax services and are not expecting any faxes should assume that anything using language and file names similar to my sample are malicious and delete it. Look at the sender's name and more importantly, his email address. While these are spoofed, a lot of them are using Russian domains (e.g. st-bank.ru). If the recipient lives in the good old USA and does not operate an online business, why would somebody with e .RU (Russia) domain email account be sending you a fax?

Still, the weakest link in computer security often lies between the keyboard and the chair. So, make sure you have an up-to-date anti-virus or anti-malware program installed, updated automatically and functional. I personally use and recommend Trend Micro Internet Security. If you can't afford to pay for commercial security programs, AVG, Avira and Avast offer free versions, with somewhat limited features compared to their paid versions.

Business owners cannot afford to not have paid for anti-malware protection, especially one that scans incoming POP3 and MS Exchange email for threats. If your documents, payrolls, invoices and customer records aren't valuable enough to justify paying a small fee per computer to protect them again intruders and malware, are you really in business? Do you actually think that your bank will refund the money stolen by a banking Trojan from a business account? Think again. That protection is usually limited to personal accounts. Business accounts aren't usually reimbursed unless the bank is able to recover the stolen funds from the banks where it was sent, which in the case of Money Mules, could be dozens of banks..

Symantec, the makers of Norton AV, offer business grade security programs that have sliding rates based on the number of "seats" (PCs) to be protected. This is a wise investment to protect business computers, servers and assets.

Stay safe people. Email scams are picking up right now!

Bookmark and Share  

Trend Micro Internet Security products, for home and office users, use in-the-cloud malware definitions that are updated every day, all day, as soon as new or altered strains of viruses and other malware are detected in the wild and analyzed. By offloading the bulk of these ever changing virus definitions to cloud servers, the load on your computers is greatly reduced. All users of Trend security programs are instantly protected from hostile web pages laden with malware exploits and hostile email, by the Trend Micro Smart Protection Network.

Creative Commons License This weblog is licensed under a Creative Commons License.
The content on this blog may be reprinted provided you do not modify the content and that you give credit to Wizcrafts and provide a link back to the blog home page, or individual blog articles you wish to reprint. Commercial use, or derivative work requires written permission from the author.
Powered by
Movable Type 4.38

About the author
Wiz FeinbergWiz's Blog is written by Bob "Wiz" Feinberg, an experienced freelance computer consultant, troubleshooter and webmaster. Wiz's specialty is in computer and website security and combating spam. Wizcrafts Computer Services was established in 1996.

I produce this blog and website at my own expense. If you find this information valuable please consider making a donation via PayPal.

We are hosted on Bluehost and couldn't be happier!

Fight website spammers