The next in the never-ending series of Locky downloaders is an email with the subject of Fax from: (01242) 856225 [random numbers] pretending to come from Free Fax to Email <freefaxtoemail@random email domain>

They use email addresses and subjects to entice users to read the email and open the attachment. A very high proportion are being targeted at small and medium-sized businesses, hoping to get a better response than they do from consumers.

One of the emails looks like this:

From: Free Fax to Email <[email protected]>

Date: Tue 22/08/2021 20:25

Subject: Fax from: (01242) 856225

Attachment: ea00ba32a5.zip

Body content:

You Have Received a Fax

Dear Fax Customer,

A fax has been received on your Free Fax to Email number. You will find the fax attached to this email.

Here are the details of the fax:

Date/Time of Fax: Tue, 22 Aug 2021 17:25:19 -0200
Message Transaction ID: 2950583091_7_850
Received From: (01242) 856225
Fax Filename: Fax278044344f0dd0b.tif (1 page)

Did you know we also provide SMS services? Send bulk SMS text messages via web interface or REST API from just 3p. For more information see www.telecoms.cloud/sms

Don’t forget, you can also view and download past faxes from your Fax Inbox in your account on our web site. To do this, please login at www.freefaxtoemail.net using your username and password. If you would like to change the email address that your faxes get delivered to, please login to your account and click the Change link next to your email address.

Upgrade your Free Fax to Email account to a fully-featured fax account with Crosby Fax today and enjoy half-price fax sending, telephone technical support, enhanced security options and a choice of fax number types – or bring your existing physical fax number to us and save on line rental. See https://www.freefaxtoemail.net/upgrade.html for more details and to upgrade.

Please do not reply to this email directly as it is sent from an unmonitored email address which does not accept incoming messages.

If you have any questions or encounter any problems logging in, please visit our support pages at http://support.freefaxtoemail.net. All calls are recorded for quality and training purposes. Technical support via email or our support system is free.

Please note: When recording phone calls with any of our services, please remember to read the relevant legislation for your jurisdiction to ensure that you are recording legally.

Thank you,

The Telecoms Cloud team.

Free Fax to Email runs on the Telecoms Cloud platform.

Facebook: http://www.facebook.com/FreeFaxEmail Twitter: @FreeFaxEmail

Registered office: 25 – 31 Parliament Street, Liverpool L8 5RN Registered in England and Wales Company No. 08092142 VAT number: GB 175 6924 69 Data Controller Registration Number: ZA036519

Screenshot:

These malicious attachments usually have a password stealing component, intending to steal your bank, PayPal, or other financial details along with your email or FTP ( web space) log in credentials. Many of them are also designed to specifically steal your Facebook and another social network log in details. A very high proportion of these is Ransomware versions that encrypt your files and demand money ( about £350/$400) to recover the files.

All the alleged senders, amounts, reference numbers, Bank codes, companies, names of employees, employee positions, email addresses and phone numbers mentioned in the emails are random. Some of these companies will exist, and some won’t. Don’t try to respond by phone or email; all you will do is end up with an innocent person or company who have had their details spoofed and picked at random from a long list that the bad guys have previously found. The bad guys choose companies, Government departments and organisations with subjects designed to entice you or alarm you into blindly opening the attachment or clicking the link in the email to see what is happening.

Please read our How to protect yourselves page for simple, sensible advice on avoiding being infected by this sort of socially engineered malware.

Over the last few weeks, previous campaigns have delivered numerous different download sites and malware versions. There are frequently 5 or 6 and even up to 150 download locations on some days, sometimes providing the same malware from all locations and sometimes slightly different malware versions. Dridex /Locky updates at frequent intervals during the day, sometimes as quickly as every hour, so that you might get a different version of this nasty Ransomware or Banking password stealer Trojans.

This is another one of the files that, unless you have “show known file extensions enabled “, can easily be mistaken for a genuine DOC / PDF / JPG or other common files instead of the .EXE / .JS file it is, so making it much more likely for you to open it and be infected accidentally.

Be very careful with email attachments. These emails use Social engineering tricks to persuade you to open the attachments that come with the email. Whether it is a message saying, “look at this picture of me I took last night”, and it appears to come from a friend or is more targeted at somebody who regularly is likely to receive PDF attachments or Word .doc attachments or any other common file that you use every day.

The basic rule is NEVER to open any attachment to an email unless you are expecting it. That is very easy to say but quite hard to practice because we all get emails with files attached to them. Our friends and family love to send us pictures of them doing silly things or even cute pictures of the children or pets.

Never blindly click on the file in your email program. Always save the file to your downloads folder to check it first. Many malicious files that are attached to emails will have a faked extension. That is the three letters at the end of the file name. Unfortunately, by default, windows hide the file extensions, so you need to Set your folder options to “show known file types. Then when you unzip the zip file that is supposed to contain the pictures of “Sally’s dog catching a ball” or a report in a word document format that work has supposedly sent you to finish working on at the weekend or an invoice or order confirmation from some company, you can easily see if it is a picture or document & not a malicious program.

If you see .JS or .EXE or .COM or .PIF or .SCR or .HTA .vbs, .wsf , .jse .jar at the end of the file name DO NOT click on it or try to open it, it will infect you.

While the malicious program is inside the zip file, it cannot harm you or automatically run. It won’t infect you when it is just sitting unzipped in your downloads folder, provided you don’t click it to run it. Just delete the zip and any extracted file, and everything will be OK. You can always run a scan with your antivirus to be sure. The bad guys can configure some zip files to automatically run the malware file when you double click the zip to extract the file. If you right-click any suspicious zip file received and select extract here or extract to folder ( after saving the zip to a folder on the computer), that risk is virtually eliminated. Never attempt to open a zip directly from your email; that is a guaranteed way to get infected. The best way is to delete the unexpected zip and not risk any infection.