Security Alert: Potential Virus Revealing Itself on Fax Print Outs

Submitted by Anonymous (not verified) on Tue, 02/14/2017 - 12:51

From time to time we get some interesting questions/issues from our customers here at HGi and this one is a great example.

A support call came in recently for an account in the Boynton Beach area regarding inbound faxes and security. The customer stated that several times a day she finds what she believes is a 2-page fax sitting on the copier, but she does not understand the contents of what she is receiving.

With my curiosity peaked, I asked her to scan the documents and email them to me so that I could read it myself. The pages I received could only be described as a digital ransom note. It was two lines of text in Courier New that read:

“stackoverflowin has returned to his glory, your printer is part of
a flaming botn”

“Hacked: Please send 0.05 Bitcoin to 1DgjttwnDVgCbDfRFgb4siU4hcrN1HY1VM”

Intrigued by this, I decided to look into it (which means I Googled it). "Stackoverflowin" may in fact refer to a community of programmers that post hacks and fixes to issues that are posted by other programmers. "Flaming Botn" may actually refer to a known Malware virus. I have to say I like the rather polite nature of the ransom request.

You may at this point be wondering why this is a big deal since it’s only a fax — it can't possibly hurt anything, right?

As it turns out, all faxes from Ricoh equipment contain a checkerboard mark on the upper left hand corner of the first page of the received document set.  This is used as an identifier of a new document set so that when you pick up a stack of pages, you can easily identify the beginning of that fax if a cover page is not included.

The scanned document I received from the customer had no such mark on it, which would suggest that this was in fact a print job from inside the network and not just a random fax. Hence a virus may be present on one or more of their PC’s. I recommended to the customer that she bring this to the attention of her company’s IT staff to investigate.

So if you start receiving odd faxes like these through your Ricoh equipment, look for the checkerboard mark. If it's not there, your network might be infected.