Cybercriminals Using Fake Printer/Scanners Emails with Malicious Attachments to Hack Users

Beware of unusual, suspicious emails with attachments that appear to be generated by network printer/scanners. Barracuda, a California company that markets IT security products, reported late last month that cybercriminals are using common spoofing techniques to launch attacks containing malicious attachments that appear to be coming from network printer/scanners. According to the firm, the attackers have chosen PDF-generating devices because PDF files can be “weaponized” to deliver active contents that can be harmful to users. To make matters worse, receiving a PDF attachment in an email sent by a printer is so commonplace that many users assume the document is completely safe.

Scanner Spoof with Malicious Attachment

According to Fleming Shi, senior vice president of Technology at Barracuda, Canon, HP Inc., and Epson printer/scanners are being impersonated or spoofed by email that contains malicious attachments known to have malware.

Over the past month, the firm said it had been tracking activity from cybercriminals who are spoofing printer/scanner attachments in emails to spread malware. It witnessed the initial attack in late November 2017, “which was soon followed by millions of attempts to infect unsuspecting users via email.”

Typically the subject line of the malicious emails is something like “Scanned from HP,” “Scanned from Epson,” or “Scanned from Canon,” and the email attachment contains a malicious file attachment. Users should be suspicious of any email that is:

  • Misusing file-name extensions: These threats are using modified file names and extensions, inside the traditional file archive, which allows attackers to hide the malicious code inside the archive, imitating a ‘.jpg’, ‘.txt’ or any other format. This is possible by using various methods such as exploiting the WinRAR file-extension spoofing vulnerability. By misusing file=name extensions, cyber criminals can sometimes bypass security measures such as email antivirus systems. This allows the attack to ultimately reach end-user email accounts.
  • Remote file download: This malware attachment provides the attackers with the ability to initiate covert surveillance or gain unauthorized access to a victim’s PC. When the user clicks on the threat attachment, the malware is triggered and has configured communication protocols that are set up upon initial infection. This backdoor into the victim PC can allow unfettered access, including the ability to monitor user behavior, change computer settings, browse and copy files, use bandwidth (Internet connection) for possible criminal activity, access connected systems, and more.
  • User wallpaper modification: Attackers change the victim’s wallpaper by using a “shell” command to upload an image file to the victim’s system and set the image as the wallpaper.

Identify User/Domain Shares on the System

Once these attackers have compromised the users’ systems with the malicious code in the attachment, they can use Microsoft Windows Explorer and search for shares on the system. They can leverage this to escalate from having user rights on the workstation, to having local administrator rights, and can then easily search the domain SYSDOL DFS shares for XML files that contain credentials.

This malware can also check for network-connected systems and attempt to connect to \\FoundSystemName\C$. If it’s successful in connecting, it has the potential to gain full access to the contents of that drive including the size of the disk.

Below is an example of a suspicious email:

Safety Precautions

Barracuda’s Shi recommends that if you didn’t know a scanned document was coming, delete the file or double-check with the sender to make sure that the person you think is sending a scanned document really intended to.

Hover your mouse over every hyperlink to make sure it looks like it’s legitimate. If you have any doubt or suspicion, don’t click on it.

Shi also recommends that employees – or anyone using email – should be regularly trained and tested to increase their security awareness of various attacks like these phishing attempts. Simulated attack training is said to be by far the most effective form of training.

Layering training with an email security solution that offers sandboxing and advanced threat protection should block spam, phishing attacks, and malware before it ever reaches the corporate mail server or user inboxes. Companies can also deploy anti-phishing protection with Link Protection to look for links to Web sites that contain malicious code. Attachments with malware are blocked, even if the malicious code is hidden in the contents of the attached document.

A representative from Canon U.S.A. recommends that customers reduce the risk of these types of spoofing attacks by changing the default subject line in “Scan and Send: to something unique to that organization (such as “Company XYZ Office Scan”). This would likely make employees wary of more generic email subject lines used by cybercriminals (such as “Scanned from Canon”).

For more information on Barracuda’s security solutions, visit the firm here.

Editor’s Note: This post has been edited for clarity. The printer/scanners themselves aren’t being used to generate the email message. Instead, cybercriminals are sending email messages that appear to come from company printer/scanners. We apologize for any confusion.

More Resources

%d bloggers like this: