Vulnerabilities / Threats
12:50 PM

Social Engineering Attacks Pose As Corporate Copiers

Malware disguised as communications from in-house copiers and scanners with document emailing capabilities is on the rise, researchers say.

Top 20 Enterprise Laser Printers
Slideshow: Top 20 Enterprise Laser Printers
(click image for larger view and for slideshow)
Beware emails that arrive from an in-house corporate printer, scanner, or all-in-one device. They may in fact be social engineering attacks, using emails with fake header information to fool users into opening the accompanying executable files, which are really malware.

That's one of the more curious attacks spotted over the past month, according to a new report from Symantec. The study also noted an increase in quantities of polymorphic malware--attack code that's able to constantly change, and thus fool many types of signature-based security tools--that appears to be from delivery services, such as UPS. In addition, while overall spam levels declined somewhat over the past month, there was a notable increase in pharmaceutical-related spam.

But the new social engineering attack based on printer-related subterfuge may win the month's award for cheap-and-cheerful innovation. As noted by the Symantec study, "some of the newest printers have scan-to-email ability, a feature that allows users to email scanned documents to a specified email address on demand."

[ These kinds of attacks can be expensive. Read Social Engineering Attacks Cost Companies. ]

Perhaps not surprisingly, malware purveyors have begun launching attacks by sending emails with a spoofed "from" line that reads as if it's a scan from that printer--featuring a semi-unique printer name, followed by eight random digits. They also spoof the originating domain to make it appear as if the message really originated from inside the business. The message typically comes with attached malware, hidden inside zip files, or executables disguised as Microsoft Office documents.

"To be clear, office printers and scanners will not send malware-laden files, and many are unlikely to be able to send scanned documents as '.zip' file attachments," according to Symantec. "No printer or scanner hardware was involved in the distribution process, and in general, users should always be careful when opening email attachments, especially from an unknown sender."

In other unusual malware news, a Microsoft researcher said he spotted a variant of the Alureon botnet--part of the TDL malware family--that uses images, including one that's apparently of Tom Cruise, to fool security defenses.

Earlier this week, Scott Molenkamp in Microsoft's malware protection center said he found a new Alureon component that appeared to mix cryptography with JPEG image processing, and which could download images from specific websites. "After further investigation, I was able to determine that embedded within each of the JPGs was a complete configuration file using steganography," he said in a blog post.

Where images are concerned, steganography refers to hiding text inside an image, while ensuring that the image file otherwise functions as normal. According to Molenkamp, the Alureon malware can reach out to download specific image files, which are hosted on such websites as and, and then decode them to retrieve a text-based list of command-and-control server IP addresses, in case the ones hardcoded into the malware become unavailable. "In the event that no command and control server could be contacted, Alureon would then seek to retrieve an updated configuration file from these 'backup' locations," he said.

IT is caught in a squeeze between requests for new applications, services, and device support and demands from upper management to keep budgets lean, staffing light, and operations tight. These are irreconcilable objectives as long as we spend the vast majority of our resources on legacy services. Read our report now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
9/29/2011 | 9:48:20 PM
re: Social Engineering Attacks Pose As Corporate Copiers
This reminds me of the researcher Zscaler did in 2010 about how the WebScan feature in HP printers could be abused to steal copies of scanned documents. Both clever attack vectors...
Brian Prince, InformationWeek contributor
Register for Dark Reading Newsletters
White Papers
Current Issue
Dark Reading Tech Digest September 7, 2015
Some security flaws go beyond simple app vulnerabilities. Have you checked for these?
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-12
vpxd in VMware vCenter Server 5.0 before u3e, 5.1 before u3, and 5.5 before u2 allows remote attackers to cause a denial of service via a long heartbeat message.

Published: 2015-10-12
The JMX RMI service in VMware vCenter Server 5.0 before u3e, 5.1 before u3b, 5.5 before u3, and 6.0 before u1 does not restrict registration of MBeans, which allows remote attackers to execute arbitrary code via the RMI protocol.

Published: 2015-10-12
Cisco Unified Computing System (UCS) B Blade Server Software 2.2.x before 2.2.6 allows local users to cause a denial of service (host OS or BMC hang) by sending crafted packets over the Inter-IC (I2C) bus, aka Bug ID CSCuq77241.

Published: 2015-10-12
The process-management implementation in Cisco TelePresence Video Communication Server (VCS) Expressway X8.5.2 allows local users to gain privileges by terminating a supervised process and then triggering the restart of a process by the root account, aka Bug ID CSCuv12272.

Published: 2015-10-12
HP 3PAR Service Processor SP 4.2.0.GA-29 (GA) SPOCC, SP 4.3.0.GA-17 (GA) SPOCC, and SP 4.3.0-GA-24 (MU1) SPOCC allows remote authenticated users to obtain sensitive information via unspecified vectors.

Dark Reading Radio
Archived Dark Reading Radio
What can the information security industry do to solve the IoT security problem? Learn more and join the conversation on the next episode of Dark Reading Radio.