Thanks for bringing these suspicious looking e-mails to the forefront. As you mention, the e-mail mimics a scan-to-e-mail file from a Xerox WorkCentre Pro. It?s important that customers be suspicious of all scan-to-e-mail files that they were not expecting to receive and to pay attention to the ?From? field of these e-mails. The spam e-mail may fill in the ?From? field with a user name to make the e-mail look safe, as opposed to a machine name (i.e. wcp245@xerox.com). I advise all users to only open email attachments that are sent from a reliable, identifiable source. I encourage your readers to check Xerox.com/security for ongoing tips and advice.
Larry Kovnat, Mgr Product Security, Xerox
A currently spamvertised malware campaign attempts to trick the user into thinking he’s received a scanned Xerox document, whereas the actual attachment is a malicious PDF file, which once successfully exploiting the CVE-2007-5659; CVE-2008-2992; CVE-2009-0927 and CVE-2009-4324 flaws drops scareware on the infected host.
Sample message:
Hello, It was scanned and sent to you using a Xerox WorkCentre Pro. Please open the attached document.
Sent by: Guest
Number of images: 1 Attachment
File type: PDF.
WorkCentre Pro Location: Machine location not setDevice name: XERX911818091004676018486
Attachment name: 02-02-2011-43.pdf
As far as the social engineering theme is concerned, cybercriminals periodically reintroduce and rotate it once the campaign receives the necessary media coverage.
Users are advised to go through the Ultimate Guide to Scareware Protection, and ensure their hosts are client-side vulnerabilities free with Secunia’s Personal Software Inspector (PSI).
