Sophos Cloud Optix
Emails claiming to come from a Xerox WorkCentre Pro photocopier have been spammed widely across the internet, containing a malicious file as an attachment.
Modern photocopiers don’t just copy your confidential documents, or see the downside of inebriated staff antics at the office party, they can also email you your documents these days.
Which makes them a possibly all-too-convincing disguise for today’s spammed-out malware campaign.
Although the precise wording varies from email to email, they all claim to be a scan (or sometimes a forwarded scan) from a Xerox WorkStation Pro.
Subject:
Scan from a Xerox WorkCentre Pro #[number]
Message body:
Please open the attached document. It was scanned and sent to you using a Xerox WorkCentre Pro.
Sent by: Guest
Number of Images: 1
Attachment File Type: ZIP [DOC]WorkCentre Pro Location: machine location not set
Device Name: [random]
The names of attached files can vary but are along the lines of Xerox_Document_08.23_C11125.zip and Xerox_Scan_08.23_K1274.zip.
Sophos products have been intercepting the emails as spam, and will be detecting the attached file as the Troj/Dload-ID Trojan horse.
As always, be very careful opening unsolicited attachments – even if you do think at first that they could have been sent to you by one of the photocopiers in your office building.
This attack has been spammed out very aggressively – and it seems certain that some computer users may have fallen victim to it.
If I get an attachment that I don't fully trust, I restart my computer in Linux and open it with that. No danger then 🙂
Thanks for bringing spreading the word about these suspicious looking e-mails; this is something we’ve been advising customers on for more than a year now. As you mention, the e-mail mimics a scan-to-e-mail file from a Xerox WorkCentre Pro. It’s important that customers be suspicious of all scan-to-e-mail files that they were not expecting to receive and to pay attention to the “From” field of these e-mails. The spam e-mail may fill in the “From” field with a user name to make the e-mail look safe, as opposed to a machine name (i.e. wcp245@xerox.com). I advise all users to only open email attachments that are sent from a reliable, identifiable source. I encourage your readers to check Xerox.com/information-security/news for ongoing tips and advice.
Larry Kovnat, Sr. Manager, Product Security
A word to the wise on this one. The Work Center copiers can be set to send either a PDF or a TIFF image and not a ZIP file. OCR is not built-in to these copiers so sending a DOC file would not be available from these devices. This should be a knoen fact for the article above. As always be careful with any attachement.
Ours can send JPG as well. Our office policy is to scan the document to your own pc and then mail it onto clients from there then at least the client knows who they're receiving from.
The fundamental fact is that the WorkCentre product line can only scan files to .PDF, ,TIF and .JPG formats. Self-executable files are the sort to carry infections of which all the above have spoken. Also realize, these devices include the technology for the user to identify themselves as the sender. While this was designed to enable the person receiving the scanned document to use the function of their emails "Reply" button to contact the sender, it also affords a bit of confidence that you know the sender. This is the sort of security and user-friendly features built into the Xerox MFP product line (as standard equipment), unlike anyone else's product. Ask any Xerox AOS for the details.
I try to report all phishing attempts to the claimed originator who usually seem to appreciate so. I hope the information will permit action to stop. Does anyone know relevant email address for Zerox?
Kevin
I received this email and it was sent to the email address that was created only for logmein.com. So, how would this email address have landed in the hands of the people responsible for this scam? Security issue or is Logmein sharing our email addresses?