Printeradvertising.com

In trays of printed paper, a new service called Printeradvertising.com was launched that states that it can print a viral advertising campaign to every connected printer in the world.

While this is an overstatement, the service did start out with a bang when Andrew Morris, founder of security company Grey Noise, detected a mass printer spam campaign promoting the service connecting to his company's honeypots.

Morris told BleepingComputer that at least sixty distinct Grey Noise honeypot detected connections coming from IP address 194.36.173.50 that were trying to send print jobs. Bad Packets Report and Phishing AI‏ state that this IP address belongs to a subnet known for malicious activity including phishing kits, C2 servers, and possibly malware such as Lokibot.

When the spam print job is sent, it does so using raw PCL (Printer Command Language) that instructs the printer how to format and print the document.

Raw PCL
Raw PCL

When successful, it would cause the printer to print an advertisement for the printeradvertising.com site as shown below.

Printer spam for printeradvertising.com
Printer spam for printeradvertising.com
(Source: Technobuffalo)

The full text of this advertisement is:

Guerrilla marketing experts - printeradvertising.com
Secure your spot in the most viral ad campaign in history.
We have the ability to reach every single printer in the world!
Reservations are limited.

According to a tweet from someone named @printerads that claims to run the site, this campaign was meant to see if anyone was interested in actually using the service. If people are interested, they would build out a service to support more printing protocols.

In response to questions from BleepingComputer, Printeradvertising has stated that this is a real service, that they on offering the service for $250 and have received over 600 emails today. Launching a service like this is no doubt illegal as they are performing unauthorized activity on someone else devices.

Strangely, the printeradvertising.com site has URLs to an Australian security consultant named Simon Smith, which indicates that this may be an extensive trolling campaign.

Smith had told BleepingComputer that he has received numerous death threats and calls from around the world due to this printer spam. Smith has also posted this statement on LinkedIn:

The person behind the Printeradvertising campaign, though, continues to claim their are Smith and signs their emails as "eVestigator®, Simon Smith".

This type of activity is not new. Other printer spam is currently being sent that includes ones asking people to subscribe to PewDiePie's YouTube channel and spam for the L0de Radio Hour.

Printer spam for L0de Radio Hour & PewDiePie
Printer spam for L0de Radio Hour & PewDiePie

The owner of the L0de Radio Show contacted BleepingComputer and issued this statement:

"I deny any involvement in these printer scam campaigns and disavow these actions. I've taken down my YouTube channel and made my twitter account protected so as not to benefit from them and am directing visitors to a charitable organization."

Printers should not be connected to the Internet

In order to prevent this type of mischief, network enabled printers should never be connected to the Internet. Allowing them to do so only allows malicious actors to send any type of print document to your network, including pornography that could land you in trouble.

While many ISPs block the TCP ports associated with printer daemons, many do not. According to Shodan.io, there are over 13,000 Internet printers connected through ISPs such as Comcast, Verizon Fios, Spectrum, and AT&T.

If it is absolutely necessary to allow remote users to print to network printers in your organization, you should instead place them behind firewalls and require users to VPN into the network to use the internal resources.

Update 12/3/18 9:27 PM EST: Updated to include statement posted by Simon Smith on LinkedIn.

Update 12/3/18 9:27 PM EST: Updated with responses from an email with Printeradvertising.

Update 12/4/18 4:39 PM EST: Updated with statement from L0de.

Related Articles:

Google Maps Users are Receiving Notification Spam and No One Knows Why

Fake Elon Musk Twitter Bitcoin Scam Earned 180K in One Day

Necurs Botnet Distributing Sextortion Email Scams

Compression File Formats of the past Come Haunting in Spam Campaigns