Scanner Email Hides Malware

Friday, January 20, 2012 @ 03:01 PM gHale

Emails pretending to come from a scanner inside an office building are hitting the street again, targeting accounts of company staff members.

This time, an email bearing the subject “Re: Scan from a Xerox W. Pro #XXXXXXX,” informs the recipient that a document went to him from a Xerox device, according to security firm Websense.

RELATED STORIES
Social Media a Fine Tool; Security Disaster
Motivated Hacker Always Gets In
Steel Giant Hacked; Info Leaked
Symantec: Hackers got Some Code

Confused users, who may not know an employee named MAMIE that sent the email, might rush to click on the link that points to five image files.

Instead, once clicked, the link redirects the user to a website that hosts the Blackhole exploit kit. Hiding in an iframe, the exploit kit looks for vulnerable software and once it finds it, executes a shellcode that triggers the execution and download of other pieces of malware.

Over 3,000 of these messages are out there so far in this campaign, but since this variant of the Blackhole kit is more advanced, offering cyber criminals the possibility to tweak their malware, the number may increase.

The Blackhole expoloit kit is usually rental from users and this latest version offers a number of improvements, such as administration options for smartphones, and an option for the kit to utilize underground audio and video scanners for malware.

Internet users who come across such emails, especially those who receive them on company emails, should ignore them and report them to the organization’s IT department so they take the appropriate measures to mitigate the attack.

IT departments should raise awareness among other members of the staff to make sure they know how to handle these and other similar threats. Reports show, cyber criminals mostly rely on social engineering to complete their tasks and if users remain well informed and vigilant, the bad guys’ chances of succeeding drop significantly.