Vulnerabilities / Threats
9/28/2011
12:50 PM
Connect Directly
RSS
E-Mail
50%
50%

Social Engineering Attacks Pose As Corporate Copiers

Malware disguised as communications from in-house copiers and scanners with document emailing capabilities is on the rise, researchers say.

Top 20 Enterprise Laser Printers
Slideshow: Top 20 Enterprise Laser Printers
(click image for larger view and for slideshow)
Beware emails that arrive from an in-house corporate printer, scanner, or all-in-one device. They may in fact be social engineering attacks, using emails with fake header information to fool users into opening the accompanying executable files, which are really malware.

That's one of the more curious attacks spotted over the past month, according to a new report from Symantec. The study also noted an increase in quantities of polymorphic malware--attack code that's able to constantly change, and thus fool many types of signature-based security tools--that appears to be from delivery services, such as UPS. In addition, while overall spam levels declined somewhat over the past month, there was a notable increase in pharmaceutical-related spam.

But the new social engineering attack based on printer-related subterfuge may win the month's award for cheap-and-cheerful innovation. As noted by the Symantec study, "some of the newest printers have scan-to-email ability, a feature that allows users to email scanned documents to a specified email address on demand."

[ These kinds of attacks can be expensive. Read Social Engineering Attacks Cost Companies. ]

Perhaps not surprisingly, malware purveyors have begun launching attacks by sending emails with a spoofed "from" line that reads as if it's a scan from that printer--featuring a semi-unique printer name, followed by eight random digits. They also spoof the originating domain to make it appear as if the message really originated from inside the business. The message typically comes with attached malware, hidden inside zip files, or executables disguised as Microsoft Office documents.

"To be clear, office printers and scanners will not send malware-laden files, and many are unlikely to be able to send scanned documents as '.zip' file attachments," according to Symantec. "No printer or scanner hardware was involved in the distribution process, and in general, users should always be careful when opening email attachments, especially from an unknown sender."

In other unusual malware news, a Microsoft researcher said he spotted a variant of the Alureon botnet--part of the TDL malware family--that uses images, including one that's apparently of Tom Cruise, to fool security defenses.

Earlier this week, Scott Molenkamp in Microsoft's malware protection center said he found a new Alureon component that appeared to mix cryptography with JPEG image processing, and which could download images from specific websites. "After further investigation, I was able to determine that embedded within each of the JPGs was a complete configuration file using steganography," he said in a blog post.

Where images are concerned, steganography refers to hiding text inside an image, while ensuring that the image file otherwise functions as normal. According to Molenkamp, the Alureon malware can reach out to download specific image files, which are hosted on such websites as WordPress.com and LiveJournal.com, and then decode them to retrieve a text-based list of command-and-control server IP addresses, in case the ones hardcoded into the malware become unavailable. "In the event that no command and control server could be contacted, Alureon would then seek to retrieve an updated configuration file from these 'backup' locations," he said.

IT is caught in a squeeze between requests for new applications, services, and device support and demands from upper management to keep budgets lean, staffing light, and operations tight. These are irreconcilable objectives as long as we spend the vast majority of our resources on legacy services. Read our report now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Bprince
50%
50%
Bprince,
User Rank: Ninja
9/29/2011 | 9:48:20 PM
re: Social Engineering Attacks Pose As Corporate Copiers
This reminds me of the researcher Zscaler did in 2010 about how the WebScan feature in HP printers could be abused to steal copies of scanned documents. Both clever attack vectors...
Brian Prince, InformationWeek contributor
http://research.zscaler.com/20...
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7407
Published: 2014-10-22
Cross-site request forgery (CSRF) vulnerability in the MRBS module for Drupal allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.

CVE-2014-3675
Published: 2014-10-22
Shim allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted DHCPv6 packet.

CVE-2014-3676
Published: 2014-10-22
Heap-based buffer overflow in Shim allows remote attackers to execute arbitrary code via a crafted IPv6 address, related to the "tftp:// DHCPv6 boot option."

CVE-2014-3677
Published: 2014-10-22
Unspecified vulnerability in Shim might allow attackers to execute arbitrary code via a crafted MOK list, which triggers memory corruption.

CVE-2014-4448
Published: 2014-10-22
House Arrest in Apple iOS before 8.1 relies on the hardware UID for its encryption key, which makes it easier for physically proximate attackers to obtain sensitive information from a Documents directory by obtaining this UID.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.