New E-mail Scam –
Don’t be scammed by your
own scanner!

News from Omniquad | October 25, 2012

Omniquad’s technicians are warning about emails that appear to come from your own scanner or multipurpose printer! The emails got caught in the Mailwall Remote spam filter, and at first they thought they were legitimate scanned documents, but the emails did not in fact contain any scanned documents, but links to sites containing malware.

The fake printer emails claim to have an attached document that come from a Xerox WorkCentre or HP Office Jet printer. The precise wording used in the e-mail body and types of attachment and attachment name varies from email to email; they all claim to be a scan (or sometimes a forwarded scan) from a Xerox WorkCentre or HP Office Jet printer to fool recipients into believing that attachment is a legitimate document.


Printer scam with HTML

These fake messages have no connection with Xerox or HP products.



However the attachment actually containing an HTML or HTML inside ZIP that leading to malware sites which are hosted on multiple IPs. The ZIP format is probably being used to dodge most spam filters.


Printer scam with ZIP



To be precise, the HTML or ZIP attachment contains java script which leads to malware sites and secretly downloads a Trojan and add the compromised machine to a botnet. This Trojan may modify the system registry and file system. It may also attempt to download and install additional malware on the targeted system.

In light of this, it is important to be vigilant with emails that seem to come from a trusted source like your own scanner.

For information, a few of the malware sites linked to are listed below.

dsakhfgkallsjfd.ru:8080/images/aublbzdni.php
211.44.250.173:8080/navigator/jueoaritjuir.php
doosdkdkjsjdfo.ru:8080/images/aublbzdni.php
debiudlasduisioa.ru:8080/images/aublbzdni.php
62.85.27.129:8080/navigator/jueoaritjuir.php
219.94.194.138:8080/navigator/jueoaritjuir.php
78.83.233.242:8080/navigator/jueoaritjuir.php
superproomgh.ru:8080/navigator/jueoaritjuir.php

Omniquads warning: Before opening any attachments ensure that this is in fact a legitimate email from your scanner and not a scam email with malicious links.



Sep
Sep