Vulnerabilities / Threats
9/28/2011
12:50 PM
50%
50%

Social Engineering Attacks Pose As Corporate Copiers

Malware disguised as communications from in-house copiers and scanners with document emailing capabilities is on the rise, researchers say.

Top 20 Enterprise Laser Printers
Slideshow: Top 20 Enterprise Laser Printers
(click image for larger view and for slideshow)
Beware emails that arrive from an in-house corporate printer, scanner, or all-in-one device. They may in fact be social engineering attacks, using emails with fake header information to fool users into opening the accompanying executable files, which are really malware.

That's one of the more curious attacks spotted over the past month, according to a new report from Symantec. The study also noted an increase in quantities of polymorphic malware--attack code that's able to constantly change, and thus fool many types of signature-based security tools--that appears to be from delivery services, such as UPS. In addition, while overall spam levels declined somewhat over the past month, there was a notable increase in pharmaceutical-related spam.

But the new social engineering attack based on printer-related subterfuge may win the month's award for cheap-and-cheerful innovation. As noted by the Symantec study, "some of the newest printers have scan-to-email ability, a feature that allows users to email scanned documents to a specified email address on demand."

[ These kinds of attacks can be expensive. Read Social Engineering Attacks Cost Companies. ]

Perhaps not surprisingly, malware purveyors have begun launching attacks by sending emails with a spoofed "from" line that reads as if it's a scan from that printer--featuring a semi-unique printer name, followed by eight random digits. They also spoof the originating domain to make it appear as if the message really originated from inside the business. The message typically comes with attached malware, hidden inside zip files, or executables disguised as Microsoft Office documents.

"To be clear, office printers and scanners will not send malware-laden files, and many are unlikely to be able to send scanned documents as '.zip' file attachments," according to Symantec. "No printer or scanner hardware was involved in the distribution process, and in general, users should always be careful when opening email attachments, especially from an unknown sender."

In other unusual malware news, a Microsoft researcher said he spotted a variant of the Alureon botnet--part of the TDL malware family--that uses images, including one that's apparently of Tom Cruise, to fool security defenses.

Earlier this week, Scott Molenkamp in Microsoft's malware protection center said he found a new Alureon component that appeared to mix cryptography with JPEG image processing, and which could download images from specific websites. "After further investigation, I was able to determine that embedded within each of the JPGs was a complete configuration file using steganography," he said in a blog post.

Where images are concerned, steganography refers to hiding text inside an image, while ensuring that the image file otherwise functions as normal. According to Molenkamp, the Alureon malware can reach out to download specific image files, which are hosted on such websites as WordPress.com and LiveJournal.com, and then decode them to retrieve a text-based list of command-and-control server IP addresses, in case the ones hardcoded into the malware become unavailable. "In the event that no command and control server could be contacted, Alureon would then seek to retrieve an updated configuration file from these 'backup' locations," he said.

IT is caught in a squeeze between requests for new applications, services, and device support and demands from upper management to keep budgets lean, staffing light, and operations tight. These are irreconcilable objectives as long as we spend the vast majority of our resources on legacy services. Read our report now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Bprince
50%
50%
Bprince,
User Rank: Ninja
9/29/2011 | 9:48:20 PM
re: Social Engineering Attacks Pose As Corporate Copiers
This reminds me of the researcher Zscaler did in 2010 about how the WebScan feature in HP printers could be abused to steal copies of scanned documents. Both clever attack vectors...
Brian Prince, InformationWeek contributor
http://research.zscaler.com/20...
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-5084
Published: 2015-08-02
The Siemens SIMATIC WinCC Sm@rtClient and Sm@rtClient Lite applications before 01.00.01.00 for Android do not properly store passwords, which allows physically approximate attackers to obtain sensitive information via unspecified vectors.

CVE-2015-5352
Published: 2015-08-02
The x11_open_helper function in channels.c in ssh in OpenSSH before 6.9, when ForwardX11Trusted mode is not used, lacks a check of the refusal deadline for X connections, which makes it easier for remote attackers to bypass intended access restrictions via a connection outside of the permitted time ...

CVE-2015-5537
Published: 2015-08-02
The SSL layer of the HTTPS service in Siemens RuggedCom ROS before 4.2.0 and ROX II does not properly implement CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, a different vulnerability than CVE-2014-3566.

CVE-2015-5600
Published: 2015-08-02
The kbdint_next_device function in auth2-chall.c in sshd in OpenSSH through 6.9 does not properly restrict the processing of keyboard-interactive devices within a single connection, which makes it easier for remote attackers to conduct brute-force attacks or cause a denial of service (CPU consumptio...

CVE-2015-1009
Published: 2015-07-31
Schneider Electric InduSoft Web Studio before 7.1.3.5 Patch 5 and Wonderware InTouch Machine Edition through 7.1 SP3 Patch 4 use cleartext for project-window password storage, which allows local users to obtain sensitive information by reading a file.

Dark Reading Radio
Archived Dark Reading Radio
What’s the future of the venerable firewall? We’ve invited two security industry leaders to make their case: Join us and bring your questions and opinions!