Threat Spotlight: Clever cybercriminals spoof scanners by the millions

Version imprimable, PDF et e-mail

Aside from the coffee maker and the office water cooler, few devices receive the magnitude of use that the corporate printer is subjected to on a daily basis.  This is because these machines function way beyond the boundaries of a simple printer; in fact, they're commonly used to scan and copy pages and can even be called upon to send emails of scans as an easy way to receive PDF versions of documents.

In this Threat Spotlight, we take a look at how criminals are using common spoofing techniques to launch attacks containing malicious attachments that appear to be coming from your network printer.  The attackers have chosen PDF generating devices because PDF files can be weaponized to deliver active contents which can be harmful to users.  Receiving a PDF attachment in an email sent by a printer is so commonplace that many users assume the document is completely safe.  From a social engineering perspective, this is exactly the response that the cybercriminals want.

These attacks spoof your network printer and deliver weaponized pdf files to your inboxes. Click To Tweet

Highlighted Threat:  

Scanner spoof with malicious attachment – Canon, HP, and Epson brand printer/scanner devices are being impersonated or spoofed by email that contains malicious attachments known to have malware.  These cybercriminals are using clever malware in order to remain undiscovered and inflict the most amount of damage.

The Details:

Over the past month, we’ve been tracking activity from cybercriminals who are spoofing printer/scanner attachments in emails to spread malware. We witnessed the initial attack in late November, which was soon followed by millions of attempts to infect unsuspecting users via email.

Clever malware:  Typically the subject line of the malicious emails would read something like “Scanned from HP”, “Scanned from Epson”, or “Scanned from Canon” while containing a malicious file attachment with anti-detection techniques:

1) Misusing file name extensions

These threats are using modified file names and extensions, inside the traditional file archive, which allows attackers to hide the malicious code inside the archive, imitating a ‘.jpg’, ‘.txt’ or any other format. This is possible by using various methods such as exploiting the WinRAR file extension spoofing vulnerability.

By misusing file name extensions, cybercriminals can sometimes bypass security measures such as email antivirus systems.  This allows the attack to ultimately reach end-user email accounts.

2) Remote file download

This malware attachment provides the attackers with the ability to initiate covert surveillance or gain unauthorized access to a victim PC. When the user clicks on the threat attachment, the malware is triggered and has configured communication protocols which are set up upon initial infection. This backdoor into the victim PC can allow unfettered access, including the ability to monitor user behavior, change computer settings, browse and copy files, utilize the bandwidth (Internet connection) for possible criminal activity, access connected systems, and more.

Receiving a PDF attachment in an email sent by a printer is so commonplace that many users assume the document is completely safe. Click To Tweet

User wallpaper modification:  Attackers change the victim's wallpaper by using a ‘shell' command to upload an image file to the victim's system and set the image as the wallpaper.

Identify user/domain shares on the system:  Once these attackers have compromised the users’ systems with the malicious code in the attachment, they can use Windows Explorer and search for shares on the system. They can leverage this to escalate from having user rights on the workstation to having local administrator rights, and easily search the domain SYSDOL DFS shares for XML files that contain credentials.

Identify the size of the disk: In addition, this malware can check for network-connected systems and attempt to connect to \\FoundSystemName\C$. If it’s successful in connecting, it has the potential to gain full access to the contents of that drive including the size of the disk.


Below are three examples of this threat to show how attackers are trying to convince victims to click on the attachment.



Take action: Safety Tips and Preventive Measures


  • If you didn’t know a scanned document was coming, delete the file or double check with the sender to make sure that the person you think is sending a scanned document really intended to.
  • Hover your mouse over every hyperlink to make sure it looks like it’s legitimate.
  • If there is any doubt or suspicion, don’t click!

User Training and Awareness and Advanced Threat Protection — Employees or really anyone using email should be regularly trained and tested to increase their security awareness of various attacks like these phishing attempts. Simulated attack training is by far the most effective form of training.

Layering training with an email security solution that offers sandboxing and advanced threat protection should block spam, phishing attacks, and malware before it ever reaches the corporate mail server or user inboxes. Additionally, you can deploy anti-phishing protection with Link Protection to look for links to websites that contain malicious code. Attachments with malware are blocked, even if the malicious code is hidden in the contents of the attached document.

Remonter en haut de page