Fake eFax Messages: A New Spin on an Old Phishing Trick

Hackers are again using fake eFax messages in phishing attacks, but the latest campaign has a new spin. Learn about their latest ploy.

In July 2019, security researchers announced the discovery a phishing scam that involved fake eFax messages. For years hackers have gone phishing using fake eFax messages, but this latest campaign caught the researchers’ attention. They found that it has a new spin. It infects victims with two different types of malware — a banking trojan and a remote access tool.

How the Scam Works

This latest phishing scam begins like its predecessors. Recipients receive an email supposedly from eFax. This fake eFax message tells the recipients they have received a fax. To view it, all they need to do is download the attached ZIP file and open the file inside it with Microsoft Word. However, the ZIP file actually contains a Microsoft Excel spreadsheet instead of a Word document. The spreadsheet contains a malicious macro — a series of commands that the hackers put together for nefarious purposes.

If the recipients open the spreadsheet and enable the macro, the commands initiate a process that results in the Dridex banking trojan and the Remote Manipulator System Remote Access Tool (RMS RAT) being installed on their computers. Dridex is designed to steal bank account credentials. RMS RAT lets the hackers remotely access and manipulate the victims’ computers. For example, they can transfer files, log keystrokes, and tamper with Windows Task Manager and other system utilities.

Having both types of malware installed lets hackers wreak twice as much havoc. It also gives them a backup communication channel in the event that one of the malware programs is detected and removed, according to researchers.

How to Protect Your Business

There are multiple measures you can take to protect your company against this type of attack. For starters, you can train employees on how to spot phishing emails. In this instance, there were several red flags. Although the message sported the official eFax logo, it included spelling and grammar errors. Plus, the message said to open the attached file with Word when it was an Excel spreadsheet.

During the training on how to spot phishing emails, it is important to let employees know they should not open attachments from unknown senders. In this case, a much safer alternative is for employees to view their faxes from the eFax website.

Another measure you can take to protect your company is to configure Excel and Word so that employees cannot enable macros. Macros are automatically disabled by default, but users are notified this has occurred and are given the option to enable them. You can change the macro setting so that macros are automatically disabled without any notification. That way, employees will not get a notification or the option to enable them. Alternatively, if your company uses digitally signed macros, you can select the option that disables all macros except those that are digitally signed.

There are additional measures you can take to defend against banking trojans, remote access tools, and other types of malware. We can go over your options and help you develop a comprehensive security strategy.


WAMS, Inc.

The experts at WAMS, Inc. all have a background in the legal industry and understand the software and the demands that come along with it. That’s why all our clients receive a dedicated account manager and engineer with specific planning that works for your business needs. We didn’t break into the tech world to pinch pennies from clients. We go into every partnership to help their business scale gracefully. Your company growth is our company growth, always.