Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Evil Printers Sending Mail - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Evil Printers Sending Mail

A reader reported receiving the following e-mail (modified to anonymize):

From; support@example.com
To: iscreader@example.com
Subject: Fwd: Scan from a HP Officejet #123456

A document was scanned and sent
to you using a Hewlett-Packard HP Officejet 28628D
Sent by: FIRSTNAME
Images: 4
Attachment Type: Image (.jpg) Download

I do not have a printer like this, but it is possible that a multifunction device will send scanned documents as an e-mail in this form. In this case, the links, which I simulated above using a blue underlined font, both lead to a now defunct URL: http://freebooksdfl (dot) info/main.php . The domain is marked as "suspended for spam or abuse" in whois. One of our handlers reports seeing similar e-mail but not being able to capture any of the content on related links so far.

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

I will be teaching next: Defending Web Applications Security Essentials - SANS Munich July 2019

Johannes

3537 Posts
ISC Handler
Do you have the headers of the received email?
Anonymous
I too have seen these attempts to seduce noobs to open attachments. Sorry I didn't save it. :-(
Moriah

133 Posts
We've blocked a couple hundred of these over the past week. From addresses seen include scan@ourdomain.com, support@ourdomain.com and hp@ourdomain.com.

Sample header below:

Received: from [117.242.0.20] ([117.242.0.20]) by [snip] with SMTP;
Wed, 19 Oct 2011 09:10:58 PDT
Received: from [117.242.0.20] by [snip]; Wed, 19 Oct 2011 03:40:58 +0530
From: <support@ourdomain.com.com>
To: <[snip]@ourdomain.com>
Subject: Re: Scan from a HP Officejet #460647
Date: Wed, 19 Oct 2011 03:40:58 +0530
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0BB4_01CC8EA7.C9D62900"
X-Mailer: Microsoft Office Outlook, Build 12.0.6416
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.1158
Thread-Index: AcON37T19E6VAJSH4ILH04D3SHOWLR==
Message-ID: <44ea01cc8ea7$ca08d1c0$1400f275@WENZIMMERMANVNJYnTX>
X-CM: Latest Threats II
X-pstn-disposition: quarantine

--------------------------------------------------------------------------------

Date: Wed, 19 Oct 2011 03:40:58 +0530
From: <support@ourdomain.com>
To: <[snip]@ourdomain.com>
Subject: Re: Scan from a HP Officejet #460647

A document was scanned and sentto you using a Hewlett-Packard HP Officejet 2075D.Sent by: WEN
Images : 8
Attachment Type: Image (.jpg) Download

Hewlett-Packard Officejet Location: machine location not set
Device: CRP848SO0SLM3943550

Moriah
5 Posts
We are seeing the same thing and have been for months.

Return-path: <AmyRynes@euronet.nl>
Received: from 18913056101.user.veloxzone.com.br (unverified [189.13.56.101]) by <ourserver>
(Rockliffe SMTPRA 9.0.1) with SMTP id <B0004477005@<ourserver> for <support@<ourdomain>.com>;
Wed, 19 Oct 2011 12:09:56 -0400
Received: from 18913056101.user.veloxzone.com.br (helo=lmnneja.gp) by 18913056101.user.veloxzone.com.br with esmtpa (Exim 4.66 (FreeBSD)) (envelope-from <AmyRynes@euronet.nl>) id 1WKM24-8016qo-UY for support@<ourdomain>.com; Wed, 19 Oct 2011 11:09:55 -0300
Message-ID: <5AF29915.6030706@euronet.nl>
Date: Wed, 19 Oct 2011 11:09:55 -0300
From: <hp@<ourdomain>.com>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_5_8; cs-CZ; rv:1.9b5) Gecko/2008041514 Lightning/1.0b2 Thunderbird/3.0a1 ThunderBrowse/3.2.8.1
MIME-Version: 1.0
To: support@<ourdomain>.com
Subject: Scan from a HP Officejet #297450
Content-Type: multipart/alternative;
boundary="------------040108090004060400000608"



Also seeing with subject "Scan from Hewlet-Packard Officejet 397458"

William




A document was scanned and sent
to you using a Hewlett-Packard HP Officejet 4563D.

Sent by: TRESSIE
Images : 9
Attachment Type: Image (.jpg) Download

Hewlett-Packard Officejet Location: machine location not set
Device: CRP186SO9SLM1649357

Moriah
2 Posts
We've been seeing these for nearly a month. They're not really from printers, you know. :)
Moriah
2 Posts
Been getting these for a number of weeks as well:

From: officejet@[domain].com [mailto:officejet@[domain].com]
Sent: Wednesday, September 28, 2011 8:59 PM
To:
Subject: Re: Scan from a HP Officejet #4310253

A document was scanned and sent
to you using a Hewlett-Packard HP Officejet 1778A.

Sent by: KATHYRN
Images : 6
Attachment Type: Image (.jpg) Download

Hewlett-Packard Officejet Location: machine location not set
Device: OFC053AA7BSX783945
Moriah
1 Posts
I received this from a coworker who asked me to take a look at it. The site (when it was up) that we were redirected to would attempt to exploit Java, PDF, and Flash. Depending upon the version you had installed would determine which files were downloaded. That was contained in the encrypted Javascript that was contained in the main site. It's a nasty little bugger and definitely malicious. I would recommend blocking the domain that these emails linked.
Moriah
7 Posts
Here is a clean write up for the link. At the time, it was gavni.bij.pl (which currently redirects to something else entirely). So links will be different.

*******************************************************
When a system connects to http[://]gavni.bij.pl/main.php?page=8f059b09cd0e2f70, a malicious Java Archive is downloaded. The site utilizes the html tag <applet> in order to run a class file, Window.class, which is located within a folder, "support", within the Java Archive.
In addition, embedded JavaScript attempts to discover certain information about targeted system, including browser type. Of particular note, it attempts to determine the version of three plugins, Java, PDF, and Shockwave Flash. If the correct version of the Java plugin is detected it will attempt to download a Main.class file and redirect the system to http[://]gavni.bij.pl/w.php?f=27&e=2. The Main.class file is hosted at http[://]root[@]1604540625/Main.class, which resolves to 95.163.88.209 using dword URL obfuscation.
After the Java exploit is attempted, it checks to see which version of PDF is installed and depending upon the finding the website will redirect the system to either http[://]gavni.bij.pl/content/1fdp.php?f=27 or http[://]gavni.bij.pl/content/2fdp.php?f=27.
Finally, it will check to verify the Shockwave Flash version and will download either http[://]gavni.bij.pl/content/score.swf or http[://]gavni.bij.pl/content/field.swf.
******************************************************

I hope I got that right :).
Moriah
7 Posts
We have also seen these emails for quite a while. Also seen subjects with Xerox WorkCentre and Xerox WorkCentre Pro.
jono

10 Posts
William, Slowpoke, Avenger -

You are allowing emails purporting to be from your domain (but not!) to be accepted by your mail servers? Hint: SPF and DKIM has been defending against mail forgery like this for a long time. Might want to try it before complaining about spoofed <yourdomain> emails when there is an effective way to block it completely.
Anonymous

Sign Up for Free or Log In to start participating in the conversation!