Vulnerabilities / Threats
9/28/2011
12:50 PM
50%
50%

Social Engineering Attacks Pose As Corporate Copiers

Malware disguised as communications from in-house copiers and scanners with document emailing capabilities is on the rise, researchers say.

Top 20 Enterprise Laser Printers
Slideshow: Top 20 Enterprise Laser Printers
(click image for larger view and for slideshow)
Beware emails that arrive from an in-house corporate printer, scanner, or all-in-one device. They may in fact be social engineering attacks, using emails with fake header information to fool users into opening the accompanying executable files, which are really malware.

That's one of the more curious attacks spotted over the past month, according to a new report from Symantec. The study also noted an increase in quantities of polymorphic malware--attack code that's able to constantly change, and thus fool many types of signature-based security tools--that appears to be from delivery services, such as UPS. In addition, while overall spam levels declined somewhat over the past month, there was a notable increase in pharmaceutical-related spam.

But the new social engineering attack based on printer-related subterfuge may win the month's award for cheap-and-cheerful innovation. As noted by the Symantec study, "some of the newest printers have scan-to-email ability, a feature that allows users to email scanned documents to a specified email address on demand."

[ These kinds of attacks can be expensive. Read Social Engineering Attacks Cost Companies. ]

Perhaps not surprisingly, malware purveyors have begun launching attacks by sending emails with a spoofed "from" line that reads as if it's a scan from that printer--featuring a semi-unique printer name, followed by eight random digits. They also spoof the originating domain to make it appear as if the message really originated from inside the business. The message typically comes with attached malware, hidden inside zip files, or executables disguised as Microsoft Office documents.

"To be clear, office printers and scanners will not send malware-laden files, and many are unlikely to be able to send scanned documents as '.zip' file attachments," according to Symantec. "No printer or scanner hardware was involved in the distribution process, and in general, users should always be careful when opening email attachments, especially from an unknown sender."

In other unusual malware news, a Microsoft researcher said he spotted a variant of the Alureon botnet--part of the TDL malware family--that uses images, including one that's apparently of Tom Cruise, to fool security defenses.

Earlier this week, Scott Molenkamp in Microsoft's malware protection center said he found a new Alureon component that appeared to mix cryptography with JPEG image processing, and which could download images from specific websites. "After further investigation, I was able to determine that embedded within each of the JPGs was a complete configuration file using steganography," he said in a blog post.

Where images are concerned, steganography refers to hiding text inside an image, while ensuring that the image file otherwise functions as normal. According to Molenkamp, the Alureon malware can reach out to download specific image files, which are hosted on such websites as WordPress.com and LiveJournal.com, and then decode them to retrieve a text-based list of command-and-control server IP addresses, in case the ones hardcoded into the malware become unavailable. "In the event that no command and control server could be contacted, Alureon would then seek to retrieve an updated configuration file from these 'backup' locations," he said.

IT is caught in a squeeze between requests for new applications, services, and device support and demands from upper management to keep budgets lean, staffing light, and operations tight. These are irreconcilable objectives as long as we spend the vast majority of our resources on legacy services. Read our report now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Bprince
50%
50%
Bprince,
User Rank: Ninja
9/29/2011 | 9:48:20 PM
re: Social Engineering Attacks Pose As Corporate Copiers
This reminds me of the researcher Zscaler did in 2010 about how the WebScan feature in HP printers could be abused to steal copies of scanned documents. Both clever attack vectors...
Brian Prince, InformationWeek contributor
http://research.zscaler.com/20...
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2009-5027
Published: 2014-12-26
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2010-2062. Reason: This candidate is a reservation duplicate of CVE-2010-2062. Notes: All CVE users should reference CVE-2010-2062 instead of this candidate. All references and descriptions in this candidate have been removed to pre...

CVE-2010-1441
Published: 2014-12-26
Multiple heap-based buffer overflows in VideoLAN VLC media player before 1.0.6 allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted byte stream to the (1) A/52, (2) DTS, or (3) MPEG Audio decoder.

CVE-2010-1442
Published: 2014-12-26
VideoLAN VLC media player before 1.0.6 allows remote attackers to cause a denial of service (invalid memory access and application crash) or possibly execute arbitrary code via a crafted byte stream to the (1) AVI, (2) ASF, or (3) Matroska (aka MKV) demuxer.

CVE-2010-1443
Published: 2014-12-26
The parse_track_node function in modules/demux/playlist/xspf.c in the XSPF playlist parser in VideoLAN VLC media player before 1.0.6 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an empty location element in an XML Shareable Playlist Format...

CVE-2010-1444
Published: 2014-12-26
The ZIP archive decompressor in VideoLAN VLC media player before 1.0.6 allows remote attackers to cause a denial of service (invalid memory access and application crash) or possibly execute arbitrary code via a crafted archive.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.