Here is an email I received this morning, claiming to come from an email address at my domain name: [email-obfuscate email=”[email protected]” linkable=”0″].
The email is fairly perfunctory with its subject line of “Scan from KM1650”, and its body text of “Please find attached your recent scan”.
Attached to the file is a Microsoft Word document called =SCAN7318_000.DOC.
Now, this might be slightly plausible if I had a scanner attached to my network which I had configured to email me scans. But I don’t.
One assumes the criminals behind the attack are banking that my place of work uses a Kyocera KM-1650 multi-function printer, or that I’m simply so excited about receiving an email from a scanner that I would open the attachment without even thinking.
Of course, if you receive the malware in your email chances are that it won’t claim to be from [email-obfuscate email=”[email protected]” linkable=”0″]. Instead, it will probably pretend to be [email protected] instead, where example.com matches the domain and tld of your email address.
There has been a long history of cybercriminals spamming out malware pretending to be from printers and scanners, and there have been a number of recent campaigns suggesting that it’s a disguise that continues to dupe the unwary.
A quick check on VirusTotal reveals that relatively few anti-virus products are identifying the malware presently, but I can tell you that the Word document contains auto-executing macros that attempt to download further malicious code from the net designed to infect your Windows PC.
Always be suspicious of unsolicited emails, and be wary of opening files which may be attached to them. Acting recklessly with the contents of your inbox could mean your computer ends up compromised and your bank account plundered.
Repeat after me:
“Thou shalt not open dodgy-looking attachments in unsolicited emails”
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.
5 comments on “Scanner sent you a document? Beware of malware attack”
Just a thought that might make this a bit easier to understand (for many people):
'matches the domain and tld of your email address.'
When I first read that the font and my tired head made me read the L as 'I' but then I realised that it is actually 'L' (I suppose that's another reason to write the abbreviation in upper case). I know most won't know what it is and most won't care but you could just explain it away by saying (just to give an example):
'where example.com is your email domain' (because after all people think of example.com as a domain even though it's not that simple). Or another way:
'where example.com is what's after the @ in your email address'
Because let's be honest. Most people owning domains won't understand what top level domain means and even if they do they probably don't understand the (subtle) difference between a zone and a domain (or much of anything in DNS other than it maps from name to IP and IP to name). Besides administrators very few would even care about this as long as it works.
9 hours later – 5 out of 54 products flag it.
Antivirus software usually does not protect you against emailed trojans.
As someone with only a basic knowledge of TLDs etc and the full workings of email my question is how exactly does a spammer make the email appear to come from your email address when it has not been compromised? How do you send an email that looks like it comes from [email protected] when you have not first hacked and taken control of mydomain.com? Are they just altering the 'reply to' address and my basic email program isn't able to/set up to display the full email header which would show the true origin email address?
I know this is old but i thought i'd give you the info anyways..
Anyone with a proper email server software (which can be obtained for free and installed easily on any OS), or access to an open email relay server can send whatever email they like..setting the FROM part of the email to whatever they want.
Luckily most email service providers (at the receiving end) filter for that, calling it SPAM and sending it to your junk box or even totally rejecting the message.
A few examples of filtering methods used at the providers level would be, RDNS, SPF, Matching IP to MX entries, Email content Analysis (spamAssassin and the likes…).
Some, like myself, even go a few steps further to ensure the SPAM is kept out by constantly monitoring and detecting the ever renewing methods of SPAMing and implementing counter measures to stop them.
One other method which i've found to be quite effective is to use BlackLists (DNSBL). Those are lists of IP addresses (hence computer station or a network of) that have a reputation of constantly sending spam. these lists help mitigate over 90% of SPAM.
I hope this was informative enough.
just got this too