SoylentNews is people
SoylentNews
Cyber-criminals are spoofing scanners by the millions to launch attacks containing malicious attachments that appear to be coming from the network printer.
Barracuda researchers first witnessed the initial attack in late November 2017 and said the attachment provides the attackers with the ability to initiate covert surveillance or gain unauthorised access to a victim PC backdoor into the victim PC, according to a 21 December blog post.
[...] “Receiving a PDF attachment in an email sent by a printer is so commonplace that many users assume the document is completely safe,” researchers said in the blog. “From a social engineering perspective, this is exactly the response that the cyber-criminals want.”
[...] The emails subject read something like “Scanned from HP”, “Scanned from Epson”, or “Scanned from Canon,” while containing a malicious file attachment with anti-detection techniques such as modified file names and extensions inside the traditional file archive, which allows attackers to hide the malicious code inside the archive, imitating a ‘.jpg', ‘.txt' or any other format.
The malware in the attachments was designed to gain unfettered access to a user's device including the ability to monitor user behaviour, change computer settings, browse and copy files, [and] utilise the bandwidth to victim's devices.
(Score: 3, Insightful) by nobu_the_bard on Wednesday January 03 2018, @01:37PM (2 children)
They've been doing this for YEARS guys! I have "scanned by epson" custom rules in my spam filter from 2016. I've been advising users to NOT directly scan-to-email to users outside of their office, and where it was feasible or the users had a habit of doing it anyway, restricted the printer or its email account to that very same limitation. Then it's easier to train them to only trust scan-to-emails from their own printer they recognize and refuse all others.
"Anti-detection techniques" like fake extensions goes back even further. Hardly any spam filter I know of doesn't take into account the possibility of a trick like file.pdf.exe with the PDF icon. Windows will hide that .exe from the user so they won't think twice about clicking it.
I thought this was going to be about malware injecting print drivers to use the print spooler as its foothold. That's a more recent problem I've been having, though it's not a new problem either. If the malware screws up the print spooler, it'll likely crash, which screws up printing for anyone sharing that resource (whether on a terminal server or a print server).
(Score: 2, Interesting) by Anonymous Coward on Wednesday January 03 2018, @01:46PM (1 child)
What admin leaves a system configured to hide known extensions?
(Score: 4, Informative) by Grishnakh on Wednesday January 03 2018, @04:44PM
Most of them, I think, but that has been a vector for malware for as long as I can remember Windows being around, so anyone who still does that deserves whatever happens to them.