In trays of printed paper, a new service called Printeradvertising.com was launched that states that it can print a viral advertising campaign to every connected printer in the world.
While this is an overstatement, the service did start out with a bang when Andrew Morris, founder of security company Grey Noise, detected a mass printer spam campaign promoting the service connecting to his company's honeypots.
.@GreyNoiseIO just detected someone (specifically 194.36.173[.]50) spraying the entire Internet with print commands for this document advertising a world-wide printing service, similar to HackerGiraffe's PewDiePie printer hack and Weev's swastika printer hack. pic.twitter.com/Ge0kebMzI7— Andrew Morris (@Andrew___Morris) December 2, 2018
Morris told BleepingComputer that at least sixty distinct Grey Noise honeypot detected connections coming from IP address 188.8.131.52 that were trying to send print jobs. Bad Packets Report and Phishing AI state that this IP address belongs to a subnet known for malicious activity including phishing kits, C2 servers, and possibly malware such as Lokibot.
So @bad_packets says ASN 44685 full of cybercrime. Is he right?— Phishing AI (@PhishingAi) November 22, 2018
Let's take a look at 184.108.40.206/24 current state
(only active campaigns)
On 220.127.116.11 we have a malware C2 server with multiple panels.
cc: @malwrhunterteam @JAMESWT_MHT @nullcookies @SteveD3 @thepacketrat pic.twitter.com/MgjnllEeQ4
When the spam print job is sent, it does so using raw PCL (Printer Command Language) that instructs the printer how to format and print the document.
When successful, it would cause the printer to print an advertisement for the printeradvertising.com site as shown below.
The full text of this advertisement is:
Guerrilla marketing experts - printeradvertising.com Secure your spot in the most viral ad campaign in history. We have the ability to reach every single printer in the world! Reservations are limited.
According to a tweet from someone named @printerads that claims to run the site, this campaign was meant to see if anyone was interested in actually using the service. If people are interested, they would build out a service to support more printing protocols.
We're currently mostly trying to see if anyone's interested, if people actually want to buy this we'll build a web platform with support for more printing protocols.— printeradvertising (@printerads) December 2, 2018
In response to questions from BleepingComputer, Printeradvertising has stated that this is a real service, that they on offering the service for $250 and have received over 600 emails today. Launching a service like this is no doubt illegal as they are performing unauthorized activity on someone else devices.
Strangely, the printeradvertising.com site has URLs to an Australian security consultant named Simon Smith, which indicates that this may be an extensive trolling campaign.
Smith had told BleepingComputer that he has received numerous death threats and calls from around the world due to this printer spam. Smith has also posted this statement on LinkedIn:
The person behind the Printeradvertising campaign, though, continues to claim their are Smith and signs their emails as "eVestigator®, Simon Smith".
This type of activity is not new. Other printer spam is currently being sent that includes ones asking people to subscribe to PewDiePie's YouTube channel and spam for the L0de Radio Hour.
The owner of the L0de Radio Show contacted BleepingComputer and issued this statement:
"I deny any involvement in these printer scam campaigns and disavow these actions. I've taken down my YouTube channel and made my twitter account protected so as not to benefit from them and am directing visitors to a charitable organization."
In order to prevent this type of mischief, network enabled printers should never be connected to the Internet. Allowing them to do so only allows malicious actors to send any type of print document to your network, including pornography that could land you in trouble.
While many ISPs block the TCP ports associated with printer daemons, many do not. According to Shodan.io, there are over 13,000 Internet printers connected through ISPs such as Comcast, Verizon Fios, Spectrum, and AT&T.
If it is absolutely necessary to allow remote users to print to network printers in your organization, you should instead place them behind firewalls and require users to VPN into the network to use the internal resources.
Update 12/3/18 9:27 PM EST: Updated to include statement posted by Simon Smith on LinkedIn.
Update 12/3/18 9:27 PM EST: Updated with responses from an email with Printeradvertising.
Update 12/4/18 4:39 PM EST: Updated with statement from L0de.