Cyber-criminals are spoofing scanners by the millions to launch attacks containing malicious attachments that appear to be coming from the network printer.
Barracuda researchers first witnessed the initial attack in late November 2017 and said the attachment provides the attackers with the ability to initiate covert surveillance or gain unauthorised access to a victim PC backdoor into the victim PC, according to a 21 December blog post.
[...] “Receiving a PDF attachment in an email sent by a printer is so commonplace that many users assume the document is completely safe,” researchers said in the blog. “From a social engineering perspective, this is exactly the response that the cyber-criminals want.”
[...] The emails subject read something like “Scanned from HP”, “Scanned from Epson”, or “Scanned from Canon,” while containing a malicious file attachment with anti-detection techniques such as modified file names and extensions inside the traditional file archive, which allows attackers to hide the malicious code inside the archive, imitating a ‘.jpg', ‘.txt' or any other format.
The malware in the attachments was designed to gain unfettered access to a user's device including the ability to monitor user behaviour, change computer settings, browse and copy files, [and] utilise the bandwidth to victim's devices.
(Score: 3, Interesting) by frojack on Wednesday January 03 2018, @05:44AM (8 children)
Apparently there are people who still do.
I see these all the time, invariably in my spam folder, invariably all purporting to come from my own network. I suppose if I worked for a huge organization I might fall for that, but probably not. If I wasn't expecting it from a specific person I don't open it. And, as I say, spamassassin has it marked as spam anyway.
I don't read pdf files on windows any more. Or with Adobe software.
No, you are mistaken. I've always had this sig.
(Score: 1, Insightful) by Anonymous Coward on Wednesday January 03 2018, @09:26AM (1 child)
A campaign like this is successful even if only 1 in 100K people fall for it. It's the same with malvertisment. There's also the chance that people open them by accident due to misclicking and given the trend to butcher UI's into barely useable garbage this will become ever more common.
(Score: 0) by Anonymous Coward on Wednesday January 03 2018, @09:31AM
PS: What surprises me more is that despite executable and script whitelisting being a thing since 2008/2009 on windaz organizations go out of their way to never deploy these measures (despite paying for the versions of the OS that offer them).
(Score: 0) by Anonymous Coward on Wednesday January 03 2018, @01:26PM (1 child)
hey so do you read pdfs on linux with adobe software and on windows without it?
new year means im trying not to be a grammar nazi but i at least can point out poor structure and unclear presentation of thought. dig.
(Score: 2) by frojack on Wednesday January 03 2018, @08:14PM
I would expect better English parsing skills, even from an AC too stupid or lazy to sign in.
No, you are mistaken. I've always had this sig.
(Score: 0) by Anonymous Coward on Wednesday January 03 2018, @02:01PM
I have seen people open these types of emails in organizations that rely on document management systems. Often the recipients get a steady stream of network scans and are desensitized to unexpected links or attachments.
(Score: 2) by Grishnakh on Wednesday January 03 2018, @04:40PM (2 children)
Anyone who works for a company with a network scanner would, and *should*, open these things. That's how network scanners work. You go to the big-ass printer/scanner/copier down the hall, put your documents on the sheet feeder, press "scan" and tell it to send them to you, and it scans them in, makes a PDF, and emails it to you.
Not using Adobe software is generally inadvisable too. How else are you going to cryptographically sign PDFs your company needs you to sign?
Basically, you're applying your own thinking from your home computers to the way enterprises work, and that doesn't translate.
Personally, I applaud the malware writers for making people suffer for choosing a monoculture and Windows.
(Score: 2) by frojack on Wednesday January 03 2018, @08:33PM
Clue: Adobe does not have the market cornered on cryptographic signatures.
https://www.digitaltrends.com/computing/best-pdf-editors/ [digitaltrends.com]
https://www.pcmag.com/business/directory/electronic-signature [pcmag.com]
I would know if my company had a network scanner and would be able to distinguish between those and obvious fakes from random email addresses. And so would spamassassin.
No, you are mistaken. I've always had this sig.
(Score: 1) by Goghit on Thursday January 04 2018, @02:57PM
This. I had an archiving project at work that involved spending a half hour down the hall feeding batches of paper into the network printer/scanner, than going back to my desk and spending the next half hour renaming files and checking the quality of the scans. If one of these had hit my email queue at the wrong time I would have been toast.
(Score: 0) by Anonymous Coward on Wednesday January 03 2018, @08:47AM (1 child)
It assumes that you know it's talking about Windoze.
Y'know, the malware magnet. [google.com]
.
The idiots who constructed the page also included styling in their HTML but never checked how that works.
(Black text on a saturated blue background is stupid.)
It should also come as no great surprise that the page fails validation. [w3.org]
-- OriginalOwner_ [soylentnews.org]
(Score: 2) by requerdanos on Wednesday January 03 2018, @01:04PM
Not to mention lexically unparseable gems such as
(Score: 3, Insightful) by nobu_the_bard on Wednesday January 03 2018, @01:37PM (2 children)
They've been doing this for YEARS guys! I have "scanned by epson" custom rules in my spam filter from 2016. I've been advising users to NOT directly scan-to-email to users outside of their office, and where it was feasible or the users had a habit of doing it anyway, restricted the printer or its email account to that very same limitation. Then it's easier to train them to only trust scan-to-emails from their own printer they recognize and refuse all others.
"Anti-detection techniques" like fake extensions goes back even further. Hardly any spam filter I know of doesn't take into account the possibility of a trick like file.pdf.exe with the PDF icon. Windows will hide that .exe from the user so they won't think twice about clicking it.
I thought this was going to be about malware injecting print drivers to use the print spooler as its foothold. That's a more recent problem I've been having, though it's not a new problem either. If the malware screws up the print spooler, it'll likely crash, which screws up printing for anyone sharing that resource (whether on a terminal server or a print server).
(Score: 2, Interesting) by Anonymous Coward on Wednesday January 03 2018, @01:46PM (1 child)
What admin leaves a system configured to hide known extensions?
(Score: 4, Informative) by Grishnakh on Wednesday January 03 2018, @04:44PM
Most of them, I think, but that has been a vector for malware for as long as I can remember Windows being around, so anyone who still does that deserves whatever happens to them.