Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - Evil Printers Sending Mail InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Evil Printers Sending Mail

Published: 2011-10-20
Last Updated: 2011-10-20 03:56:13 UTC
by Johannes Ullrich (Version: 1)
10 comment(s)

A reader reported receiving the following e-mail (modified to anonymize):

From; support@example.com
To: iscreader@example.com
Subject: Fwd: Scan from a HP Officejet #123456

A document was scanned and sent
to you using a Hewlett-Packard HP Officejet 28628D
Sent by: FIRSTNAME
Images: 4
Attachment Type: Image (.jpg) Download

I do not have a printer like this, but it is possible that a multifunction device will send scanned documents as an e-mail in this form. In this case, the links, which I simulated above using a blue underlined font, both lead to a now defunct URL: http://freebooksdfl (dot) info/main.php . The domain is marked as "suspended for spam or abuse" in whois. One of our handlers reports seeing similar e-mail but not being able to capture any of the content on related links so far.

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Keywords: malware spam
10 comment(s)
Diary Archives