InfoSec Handlers Diary Blog - Evil Printers Sending Mail

SANS ISC: InfoSec Handlers Diary Blog - Evil Printers Sending Mail

SANS Site Network
- Current Site
- Internet Storm Center
- Other SANS Sites Help
- Graduate Degree Programs
- Security Training
- Security Certification
- Security Awareness Training
- Penetration Testing
- Industrial Control Systems
- Cyber Defense Foundations
- DFIR
- Software Security
- Government OnSite Training

InfoSec Handlers Diary Blog

Evil Printers Sending Mail

Published: 2011-10-20
Last Updated: 2011-10-20 03:56:13 UTC
by Johannes Ullrich (Version: 1)

A reader reported receiving the following e-mail (modified to anonymize):

From; support@example.com
To: iscreader@example.com
Subject: Fwd: Scan from a HP Officejet #123456

A document was scanned and sent
to you using a Hewlett-Packard HP Officejet 28628D
Sent by: FIRSTNAME
Images: 4
Attachment Type: Image (.jpg) Download

I do not have a printer like this, but it is possible that a multifunction device will send scanned documents as an e-mail in this form. In this case, the links, which I simulated above using a blue underlined font, both lead to a now defunct URL: http://freebooksdfl (dot) info/main.php . The domain is marked as "suspended for spam or abuse" in whois. One of our handlers reports seeing similar e-mail but not being able to capture any of the content on related links so far.

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Keywords: malware spam

10 comment(s)

Top of page

Diary Archives