Printer-spoofing Campaign Installs Espionage-Bent Backdoors Inside the Enterprise

Printer-spoofing Campaign Installs Espionage-Bent Backdoors Inside the Enterprise

For many large organizations, emails from corporate printers and scanners are commonplace, and cyber-criminals are finding this vector to be a lucrative host to launch cyber-attacks.

Barracuda Networks has tracked an uptick in attacks through Canon, HP and Epson printer and scanner email attachments of late: Since late November, cyber-criminals have made millions of attempts to infect unsuspecting users by sending impersonated or spoofed emails from these common printer and scanner brands, with attachments that contain malware.

“Aside from the coffee maker and the office water cooler, few devices receive the magnitude of use that the corporate printer is subjected to on a daily basis,” said Barracuda SVP of technology, Fleming Shi, in a blog. “This is because these machines function way beyond the boundaries of a simple printer; in fact, they’re commonly used to scan and copy pages and can even be called upon to send emails of scans as an easy way to receive PDF versions of documents.”

Typically, the subject line of the malicious emails would seem routine: “Scanned from HP”, “Scanned from Epson” or “Scanned from Canon,” for instance. Using modified file names and extensions, the attackers are also able to hide the malicious code and bypass security measures such as email antivirus systems. So end users are often none the wiser about the attack.

Once unpacked, the malware installs a backdoor on the machine that offers unauthorized access to a victim PC and cyberespionage capabilities. This includes the ability to monitor user behavior, change computer settings, browse and copy files, utilize bandwidth for criminal activity, access connected systems, and more. It also scans connections in an attempt to escalate from having user rights on the workstation to having local administrator rights.

Further, indicating a ramsomware-ready aspect, attackers also can change the victim’s wallpaper to display a message of their choice.

Workers should use common sense to avoid the threat: Shi advocates double-checking with the sender if one didn’t know a scanned document was coming; hovering the mouse over every hyperlink to make sure it’s legitimate; and simply not clicking if there’s any doubt whatsoever. 

Source: Information Security Magazine