Thursday, December 6, 2012

Bogus RapidFax Emails Used to Spread Trojan

RapidFaxProceed with caution if a RapidFax fax alert arrives in your email inbox.

RapidFax allows users to send faxes online without using a fax machine, & cybercriminals are sending out bogus emails claiming that a new inbound fax has been received via RapidFax to try & trick recipients into downloading the malicious file attached to the email.

The spam emails typically use one of three titles: “Inbound Fax”, “RapidFax: Inbound Fax”, “RapidFax: New Inbound Fax” and have spoofed headers that make it appear as if it were sent from

The email body contains fake information related to the non-existent fax message received, and a file named is attached to the email.

Example email:

RapidFax SpamScrenshot Credit: MX Labs

From: RapidFax (
Subject: Inbound Fax

A fax has been received.

MCFID = 44558583
Time Received = Tue, 04 Dec 2012 13:18:49 -0400
Fax Number = 0541235410
ANI = 2804453004
Number of Pages = 20
CSID = 70060312745
Fax Status Code = Successful

Please do not reply to this email.

RapidFAX Customer Service

© 2012 J2 Global, Inc. All rights reserved. RapidFAX is a registered trademark.

Inside the zip archive is RapidFAX_MCID_000_LOTS_OF_NUMBERS__13341.pdf.exe, a malicious file sporting a rather long name in an attempt to hide the fact that is an executable file. That file is actually a Trojan that Microsoft identifies as PWS:Win32/Fareit.

Once installed on your computer, PWS:Win32/Fareit will keep busy by stealing login credentials stored in your web browser and FTP clients, and relay the data back to a remote server. Beyond that, PWS:Win32/Fareit has also been known to download and install the ZeuS banking Trojan onto the affected system.

Protecting Your PC from PWS:Win32/Fareit

Here are some preventative measures users can take to protect their PC from this threat:

  • Do not download or open files attached to unsolicited emails.

  • Always run antivirus software & keep the virus definitions current.

  • Keep your operating system & installed third-party software fully patched & up-to-date.

Removing PWS/Win32/Fareit From Your System

If you believe that your system has been infected by the Fareit Trojan, perform a full system scan using an antivirus solution to detect & remove the infection. The following vendors offer security solutions capable of detecting this threat, among others:

  • F-Secure [detected as Trojan-PSW:W32/Agent.DUHK]

  • Kaspersky [detected as Trojan-PSW.Win32.Tepfer.cqaj]

  • ESET [detected as Win32/Kryptik.APZB variant]

  • Malwarebytes [detected as Trojan.Lameshield]

  • McAfee [detected as Generic PWS.o]

  • Microsoft [detected as PWS:Win32/Fareit]

  • Sophos [detected as Troj/Zbot-DDW]

  • Symantec [detected as W32.Qakbot]

  • TrendMicro [detected as BKDR_PTF.AAA]

Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet,  “Like” us on Facebook or add us to your circle on Google+

No comments:

Post a Comment