Malware attack spread as email from your office's HP scanner

Filed Under: Featured, Malware, Spam

Scanner. Image from ShutterstockIn these high-tech times, scanners and photocopiers aren't just dumb machines sitting in the corner of the office.

They are usually connected to the corporate network, and - in some cases - can even email you at your desk to save you having to wear out your shoe leather.

And it's precisely this functionality that we have seen cybercriminals exploiting today, pretending that their malicious emails in fact come from an HP scanner inside your organisation.

Here's a typical example of the emails we have been intercepting at SophosLabs:

Example of malicious email

Subject: Re: Scan from a Hewlett-Packard ScanJet 4952740

Message body:
Attached document was scanned and sent to you using a Hewlett-Packard I-56919SL.

SENT BY: SHERRIL
PAGES: 7
FILETYPE: .DOC [Word2003 File]

As you'll see in the next example, the precise wording (the names and numbers used) can vary from email to email. But each of the emails has the same file attached - HP_Document.zip.

Example of malicious email

So, what's in the ZIP file?

hp_page-1-19_24.07.2012.exe

Clearly that's not a scanned-in image - it's executable code.

In fact, it's a Trojan horse called Troj/Agent-XDD, capable of infecting your Windows PC and putting your computer data at risk.

Here's a list of some of the different subject lines we saw in this spammed-out malware campaign, in the just the course of a few seconds:

Some subject lines used by malicious email

We've seen malware spread as scans from HP devices in the past, but there has been a notable wave of malicious code spammed out using the disguise today - so be on your guard.

If you are one of the many people seeing this malware attack in your email today, please do not click on the attachment even if you are waiting for a scanned-in document to be sent to you. Instead, simply delete the email and your computer will be safe.

Scanner image from Shutterstock.

, , , ,

You might like

14 Responses to Malware attack spread as email from your office's HP scanner

  1. Tim · 630 days ago

    This post has a (deliberately?) misleading headline. It's also somewhat nonsensical - perhaps should be 'Malware attack spreads......'

    Anyway, the headline implies that malicious emails are being sent from corporate MFP's...and that could only happen if such devices were compromised.

    In fact, this is just another spam run using an MFP-related social engineering technique.

    Please continue to alert us to breaking security stories...but please keep the headlines FUD-free. thanks!

    • I'm sorry if the headline confused you - that wasn't my intention. Give me some leeway, and you'll understand that I was trying to convey that the emails pretend to come from your HP scanner... not that they actually do.

      Imagine if it had been "Malware attack spread as naked Jennifer Lopez video" if that helps.

      And I was right to say "spread" I think, rather than "spreads". If it was "spreads" then that would suggest that the malware attack was actually spreading. However, the malware in this case is a Trojan horse without self-replicating functionality.

      Instead someone has *spread* it by spamming it out as an email. The malware attack has been spread.

      Anyway, I hope the warning was useful.

  2. Joe · 630 days ago

    This isn't new. I've been seeing these for (IIRC) about a year. They come in by the dozens. The spam trap eats them.

    • Yes, we've seen the technique used before. Clearly it's working - otherwise the bad guys would give up on the disguise and choose another one.

  3. Machin Shin · 630 days ago

    So is it just me who would look at these and instantly wonder why it has FWD: or RE: at the front of the subject? If it is a scan coming directly from the scanner you would not see those in the subject and the from address is clearly spoofed to look like a scanner.

    So once again, if you actually slow down and spend even 2 seconds looking at your e-mail you should never fall for these tricks.

    • It's not *just* you. There are lots of smart, savvy folks who might think like that too.

      But put yourself in the shoes of some busy, harrassed, overworked executive, who barely has enough time to defluff their mouse, let alone battle their way through a mountain of email each day.

      All of us make mistakes from time to time, and might foolishly click on a link or an unsolicited attachment without thinking of the possible consequences.

  4. Jenny · 630 days ago

    I am a little confused.

    First, I know that Gmail does not like .exe files in .zip or .rar archives. However, presumably, other e-mail services are OK with this or the attack would not function.

    Second, the victim downloads the .zip, unzips it, and now has an .exe. Why would they execute it (since it supposed to be their scanned document which is obviously not an .exe)?

    • Yes, GMail is a little more ruthless about what filetypes it blocks than other email systems.

      And yes, people really *do* open .EXE files when they've been told in an attack to expect a Word document.

      You may be savvy enough not to fool for such a trick, but plenty of users do.. sadly. It's a case of PEBKAC (Problem Exists Between Keyboard And Chair)

      [and lets not even get into the debate of whether you can trust .DOC files or not..]

    • Adam · 629 days ago

      People open this crap because microsoft still insists that 'Hide extensions for known filetypes' is a good default.
      To your average jo there is little difference between an EXE with it's icon set to the MS-Word logo and a doc file.

    • Robert W. · 629 days ago

      Same thing with MSN you can't end certain types of files like executables as
      an attachment, or at all.

  5. Samir · 630 days ago

    although old and common technique, thanks for spreading awareness about whats going on in the wild at the moment

  6. Johny · 630 days ago

    this type of attack targets email services from websites, if you have name@yoursite.com email addres and don't use some email client with good filters or just open any email from unknown source you are at risk. best way to protect yourself from things like this is to go slow read and think before you do. antivirus is cheap considering what malware/viruses can do to your computer

  7. Interested · 629 days ago

    If 100% of technology users were savy enough to notice such email messages as spam, malware, or other attacks, companies like Sophos, Symantec, McAfee, Kapersky, etc., may not exist (or exist for very long).

  8. Anonymous · 13 days ago

    And what do you do if you did click on it?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley is an award-winning security blogger, and veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Send Graham an email, subscribe to his updates on Facebook, follow him on Twitter and App.net, and circle him on Google Plus for regular updates.