Sophos Cloud Optix
In these high-tech times, scanners and photocopiers aren’t just dumb machines sitting in the corner of the office.
They are usually connected to the corporate network, and – in some cases – can even email you at your desk to save you having to wear out your shoe leather.
And it’s precisely this functionality that we have seen cybercriminals exploiting today, pretending that their malicious emails in fact come from an HP scanner inside your organisation.
Here’s a typical example of the emails we have been intercepting at SophosLabs:
Subject: Re: Scan from a Hewlett-Packard ScanJet 4952740
Message body:
Attached document was scanned and sent to you using a Hewlett-Packard I-56919SL.SENT BY: SHERRIL
PAGES: 7
FILETYPE: .DOC [Word2003 File]
As you’ll see in the next example, the precise wording (the names and numbers used) can vary from email to email. But each of the emails has the same file attached – HP_Document.zip.
So, what’s in the ZIP file?
hp_page-1-19_24.07.2012.exe
Clearly that’s not a scanned-in image – it’s executable code.
In fact, it’s a Trojan horse called Troj/Agent-XDD, capable of infecting your Windows PC and putting your computer data at risk.
Here’s a list of some of the different subject lines we saw in this spammed-out malware campaign, in the just the course of a few seconds:
We’ve seen malware spread as scans from HP devices in the past, but there has been a notable wave of malicious code spammed out using the disguise today – so be on your guard.
If you are one of the many people seeing this malware attack in your email today, please do not click on the attachment even if you are waiting for a scanned-in document to be sent to you. Instead, simply delete the email and your computer will be safe.
Scanner image from Shutterstock.
This post has a (deliberately?) misleading headline. It's also somewhat nonsensical – perhaps should be 'Malware attack spreads……'
Anyway, the headline implies that malicious emails are being sent from corporate MFP's…and that could only happen if such devices were compromised.
In fact, this is just another spam run using an MFP-related social engineering technique.
Please continue to alert us to breaking security stories…but please keep the headlines FUD-free. thanks!
I'm sorry if the headline confused you – that wasn't my intention. Give me some leeway, and you'll understand that I was trying to convey that the emails pretend to come from your HP scanner… not that they actually do.
Imagine if it had been "Malware attack spread as naked Jennifer Lopez video" if that helps.
And I was right to say "spread" I think, rather than "spreads". If it was "spreads" then that would suggest that the malware attack was actually spreading. However, the malware in this case is a Trojan horse without self-replicating functionality.
Instead someone has *spread* it by spamming it out as an email. The malware attack has been spread.
Anyway, I hope the warning was useful.
This isn’t new. I’ve been seeing these for (IIRC) about a year. They come in by the dozens. The spam trap eats them.
Yes, we've seen the technique used before. Clearly it's working – otherwise the bad guys would give up on the disguise and choose another one.
So is it just me who would look at these and instantly wonder why it has FWD: or RE: at the front of the subject? If it is a scan coming directly from the scanner you would not see those in the subject and the from address is clearly spoofed to look like a scanner.
So once again, if you actually slow down and spend even 2 seconds looking at your e-mail you should never fall for these tricks.
It's not *just* you. There are lots of smart, savvy folks who might think like that too.
But put yourself in the shoes of some busy, harrassed, overworked executive, who barely has enough time to defluff their mouse, let alone battle their way through a mountain of email each day.
All of us make mistakes from time to time, and might foolishly click on a link or an unsolicited attachment without thinking of the possible consequences.
I am a little confused.
First, I know that Gmail does not like .exe files in .zip or .rar archives. However, presumably, other e-mail services are OK with this or the attack would not function.
Second, the victim downloads the .zip, unzips it, and now has an .exe. Why would they execute it (since it supposed to be their scanned document which is obviously not an .exe)?
Yes, GMail is a little more ruthless about what filetypes it blocks than other email systems.
And yes, people really *do* open .EXE files when they’ve been told in an attack to expect a Word document.
You may be savvy enough not to fool for such a trick, but plenty of users do.. sadly. It’s a case of PEBKAC (Problem Exists Between Keyboard And Chair)
[and lets not even get into the debate of whether you can trust .DOC files or not..]
People open this crap because microsoft still insists that 'Hide extensions for known filetypes' is a good default.
To your average jo there is little difference between an EXE with it's icon set to the MS-Word logo and a doc file.
Same thing with MSN you can't end certain types of files like executables as
an attachment, or at all.
although old and common technique, thanks for spreading awareness about whats going on in the wild at the moment
this type of attack targets email services from websites, if you have name@yoursite.com email addres and don't use some email client with good filters or just open any email from unknown source you are at risk. best way to protect yourself from things like this is to go slow read and think before you do. antivirus is cheap considering what malware/viruses can do to your computer
If 100% of technology users were savy enough to notice such email messages as spam, malware, or other attacks, companies like Sophos, Symantec, McAfee, Kapersky, etc., may not exist (or exist for very long).
And what do you do if you did click on it?
Hi I was that busy and in hindsight foolish executive.
I did indeed mistake it for an MS excel file – more problematic as I actually work for HP so we’re conditioned to open stuff from in house.
More concerning our corp anti virus didnt find anything so now Im wondering if I have a Trojan or not?
Scanners are mainly normal computer devices. But somewhere it found that some emails are send by scanners. And those emails are spam emails, by clicking those emails, the system are infected by malware. Literally these emails are send by the criminal hackers who want to spread malware in the systems, so they use scanners to spread the malware.
With more digitizations and transfers to a paperless official structure, malware attacks are very much evident. Prevention and disaster management will be the key in the days to come.