Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

Social Engineering Attacks Pose As Corporate Copiers

Malware disguised as communications from in-house copiers and scanners with document emailing capabilities is on the rise, researchers say.

Top 20 Enterprise Laser Printers
Slideshow: Top 20 Enterprise Laser Printers
(click image for larger view and for slideshow)
Beware emails that arrive from an in-house corporate printer, scanner, or all-in-one device. They may in fact be social engineering attacks, using emails with fake header information to fool users into opening the accompanying executable files, which are really malware.

That's one of the more curious attacks spotted over the past month, according to a new report from Symantec. The study also noted an increase in quantities of polymorphic malware--attack code that's able to constantly change, and thus fool many types of signature-based security tools--that appears to be from delivery services, such as UPS. In addition, while overall spam levels declined somewhat over the past month, there was a notable increase in pharmaceutical-related spam.

But the new social engineering attack based on printer-related subterfuge may win the month's award for cheap-and-cheerful innovation. As noted by the Symantec study, "some of the newest printers have scan-to-email ability, a feature that allows users to email scanned documents to a specified email address on demand."

[ These kinds of attacks can be expensive. Read Social Engineering Attacks Cost Companies. ]

Perhaps not surprisingly, malware purveyors have begun launching attacks by sending emails with a spoofed "from" line that reads as if it's a scan from that printer--featuring a semi-unique printer name, followed by eight random digits. They also spoof the originating domain to make it appear as if the message really originated from inside the business. The message typically comes with attached malware, hidden inside zip files, or executables disguised as Microsoft Office documents.

"To be clear, office printers and scanners will not send malware-laden files, and many are unlikely to be able to send scanned documents as '.zip' file attachments," according to Symantec. "No printer or scanner hardware was involved in the distribution process, and in general, users should always be careful when opening email attachments, especially from an unknown sender."

In other unusual malware news, a Microsoft researcher said he spotted a variant of the Alureon botnet--part of the TDL malware family--that uses images, including one that's apparently of Tom Cruise, to fool security defenses.

Earlier this week, Scott Molenkamp in Microsoft's malware protection center said he found a new Alureon component that appeared to mix cryptography with JPEG image processing, and which could download images from specific websites. "After further investigation, I was able to determine that embedded within each of the JPGs was a complete configuration file using steganography," he said in a blog post.

Where images are concerned, steganography refers to hiding text inside an image, while ensuring that the image file otherwise functions as normal. According to Molenkamp, the Alureon malware can reach out to download specific image files, which are hosted on such websites as WordPress.com and LiveJournal.com, and then decode them to retrieve a text-based list of command-and-control server IP addresses, in case the ones hardcoded into the malware become unavailable. "In the event that no command and control server could be contacted, Alureon would then seek to retrieve an updated configuration file from these 'backup' locations," he said.

IT is caught in a squeeze between requests for new applications, services, and device support and demands from upper management to keep budgets lean, staffing light, and operations tight. These are irreconcilable objectives as long as we spend the vast majority of our resources on legacy services. Read our report now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Bprince
50%
50%
Bprince,
User Rank: Ninja
9/29/2011 | 9:48:20 PM
re: Social Engineering Attacks Pose As Corporate Copiers
This reminds me of the researcher Zscaler did in 2010 about how the WebScan feature in HP printers could be abused to steal copies of scanned documents. Both clever attack vectors...
Brian Prince, InformationWeek contributor
http://research.zscaler.com/20...
Commentary
What the FedEx Logo Taught Me About Cybersecurity
Matt Shea, Head of Federal @ MixMode,  6/4/2021
Edge-DRsplash-10-edge-articles
A View From Inside a Deception
Sara Peters, Senior Editor at Dark Reading,  6/2/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-34682
PUBLISHED: 2021-06-12
Receita Federal IRPF 2021 1.7 allows a man-in-the-middle attack against the update feature.
CVE-2021-31811
PUBLISHED: 2021-06-12
In Apache PDFBox, a carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
CVE-2021-31812
PUBLISHED: 2021-06-12
In Apache PDFBox, a carefully crafted PDF file can trigger an infinite loop while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
CVE-2021-32552
PUBLISHED: 2021-06-12
It was discovered that read_file() in apport/hookutils.py would follow symbolic links or open FIFOs. When this function is used by the openjdk-16 package apport hooks, it could expose private data to other local users.
CVE-2021-32553
PUBLISHED: 2021-06-12
It was discovered that read_file() in apport/hookutils.py would follow symbolic links or open FIFOs. When this function is used by the openjdk-17 package apport hooks, it could expose private data to other local users.