RapidFax allows users to send faxes online without using a fax machine, & cybercriminals are sending out bogus emails claiming that a new inbound fax has been received via RapidFax to try & trick recipients into downloading the malicious file attached to the email.
The spam emails typically use one of three titles: “Inbound Fax”, “RapidFax: Inbound Fax”, “RapidFax: New Inbound Fax” and have spoofed headers that make it appear as if it were sent from firstname.lastname@example.org.
The email body contains fake information related to the non-existent fax message received, and a file named rapidfax-E4C935577EDD.zip is attached to the email.
From: RapidFax (email@example.com)
Subject: Inbound Fax
A fax has been received.
MCFID = 44558583
Time Received = Tue, 04 Dec 2012 13:18:49 -0400
Fax Number = 0541235410
ANI = 2804453004
Number of Pages = 20
CSID = 70060312745
Fax Status Code = Successful
Please do not reply to this email.
RapidFAX Customer Service
© 2012 J2 Global, Inc. All rights reserved. RapidFAX is a registered trademark.
Inside the zip archive is RapidFAX_MCID_000_LOTS_OF_NUMBERS__13341.pdf.exe, a malicious file sporting a rather long name in an attempt to hide the fact that is an executable file. That file is actually a Trojan that Microsoft identifies as PWS:Win32/Fareit.
Once installed on your computer, PWS:Win32/Fareit will keep busy by stealing login credentials stored in your web browser and FTP clients, and relay the data back to a remote server. Beyond that, PWS:Win32/Fareit has also been known to download and install the ZeuS banking Trojan onto the affected system.
Protecting Your PC from PWS:Win32/Fareit
Here are some preventative measures users can take to protect their PC from this threat:
- Do not download or open files attached to unsolicited emails.
- Always run antivirus software & keep the virus definitions current.
- Keep your operating system & installed third-party software fully patched & up-to-date.
Removing PWS/Win32/Fareit From Your System
If you believe that your system has been infected by the Fareit Trojan, perform a full system scan using an antivirus solution to detect & remove the infection. The following vendors offer security solutions capable of detecting this threat, among others:
- F-Secure [detected as Trojan-PSW:W32/Agent.DUHK]
- Kaspersky [detected as Trojan-PSW.Win32.Tepfer.cqaj]
- ESET [detected as Win32/Kryptik.APZB variant]
- Malwarebytes [detected as Trojan.Lameshield]
- McAfee [detected as Generic PWS.o]
- Microsoft [detected as PWS:Win32/Fareit]
- Sophos [detected as Troj/Zbot-DDW]
- Symantec [detected as W32.Qakbot]
- TrendMicro [detected as BKDR_PTF.AAA]
Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet, “Like” us on Facebook or add us to your circle on Google+