RingCentral “New Fax Message” Malware Email

Outline:
Email purporting to be from Internet fax service RingCentral claims that the recipient has a new fax message that can be viewed by opening an attached file.




Brief Analysis:
The email is not from RingCentral and the attachment does not contain a fax message. Instead, the attachment harbours malware. Once installed, this malware may harvest sensitive information from the compromised computer and download other dangerous malware components. If you receive this message, do not click any links or open any attachments that it contains.

Example:
You Have a New Fax Message
From: [Removed]
Received: Tuesday, April 8, 2014 at 9:34 AM
Pages: 1
To view this message, please open the attachment

Thank you for using RingCentral.

Ring central Fax Malware Email





Detailed Analysis:
This email, which purports to be from the Internet based fax service, RingCentral, claims that recipients have been sent a new fax message. The email invites recipients to open an attached .zip file to view the fax message.

However, RingCentral did not send the email and the attachment does not contain a fax message as claimed.

Those who go ahead and open the attached .zip file will find that it contains what may appear to less computer literate users to be a harmless .pdf. These users may expect a fax message transcript to be a .pdf and therefore click to open it without due caution. However, the file actually has a double extension (.pdf.exe). Thus, by opening the file, users are actually installing malware on their computers.

The precise payload in these malware emails may vary. Typically, however, the malware can collect sensitive personal and financial information from the compromised computer and relay it to remote servers operated by criminals. It may also download and install other malware such as ransomware.

The fake fax notification email ruse has been used several times in the past by online criminals intent on distributing malware.

At one time, fax machines were used extensively for business communications. But reliance on the machines has lessened considerably as newer technologies have emerged. However, should the need arise, faxes can still be sent and received via online fax services such as RingCentral.

Because online fax services do generally notify people of incoming faxes via email, criminals often send emails pretending to be from such services to trick people into installing malware.  If you receive such an email, do not open any attachments or click any links that it contains. Instead, log in to your online fax service account by entering the account address into your browser’s address bar.  If you really did receive a fax, you should be able to safely access and view it via the service’s website.




Last updated: January 25, 2017
First published: April 9, 2014
By Brett M. Christensen
About Hoax-Slayer

References
RingCentral New Fax Message fake Word doc or PDF malware
‘Incoming Fax Report’ Malware Email
RapidFax Malware Email