I WANT YOU: Viral Marketing Campaign Spawns New Crime-as-a-Service
A war is brewing on the internet many are unaware of at the time of this writing. Opposing factions are rallying their troops and getting ready for the battle over the title "most internet famous” (as measured by number of YouTube subscribers). On one side of this war, there is Felix Kjellberg, commonly known by his YouTube channel as PewDiePie. On the other side is T-Series, an Indian movie and music conglomerate that uploads Bollywood movie trailers and music videos.
Tale of the Tape
PewDiePie is a 29 year old content creator, known for comedy bits and video game commentaries. He became the most subscribed YouTube channel by the end of 2013. His continued organic growth in subscriber count made his channel head and shoulders above any other YouTuber that hoped to claim the title. However, in 2017, rival YouTube channel T-Series surpassed PewDiePie in total number of video views, but not subscribers. Social media metric measuring company SocialBlade predicted that T-Series would surpass PewDiePie by October 2018. This prediction meant trouble for PewDiePie, but at the time of this writing, both channels have about 73 million subscribers each, with PewDiePie narrowly holding the lead by just over 300,000 subscribers.
With the title of “most internet famous” on the line, both YouTube channels are pulling out all the stops to recruit new subscribers. T-Series primarily gains new subscribers as a function of 4G wireless network rollout in India. After the release and widespread adoption of affordable 4G wireless network in India, T-Series saw a sharp uptick in views and number of subscribers. PewDiePie turned to more grassroots methods in attracting new subscribers including charity drives, dropping a diss tape about rival T-Series, and some unsolicited help from a hacker known only by his handle @HackerGiraffe.
@HackerGiraffe took a page out of Uncle Sam’s World War I playbook and felt an obligation to be conscripted into the PewDiePie army. Using Shodan, he was able to find over 800,000 internet connect printers with TCP port 9100 inbound exposed to the internet. Mr. Giraffe downloaded the first 50,000 IP addresses from Shodan and plugged them into The PRinter Exploitation Toolkit (PRET), a utility on GitHub which gives hackers the ability to access files on the printer, physically damage the printer, or use the printer as a beachhead to access the internal network on which the printer is connected. After a short bit of code writing, Mr. Giraffe blasted his code out onto the internet and 50,000 internet connected printers printed out a message asking the reader to subscribe to PewDiePie’s YouTube channel, unsubscribe from T-Series YouTube channel, and to take measures to secure their printer. Printer owners around the world were equally baffled and terrified that someone was in their network.
In the “well, that didn’t take long” category, a new Printer-Spam-as-a-Service emerged in light of the PewDiePie marketing campaign. Many users still confused about the PewDiePie message received a follow-up message on their internet-connected printer asking them to be a part of the most viral ad campaign in history. For a small fee, this advertising agency will push any message to as many printers as someone is willing to pay for them to send. Leveraging the latest data from the Shodan database of internet-exposed printers, the total audience could reach up to 800,000 printers. The new ad agency also boasts capabilities not used in the PewDiePie campaign such as building its own custom web platform and performing other exploits other than the one involving TCP Port 9100 to be listening inbound.
The legality of what this new ad agency is being questioned. On the one hand, these are internet exposed printers lacking any type of authentication or security. On the other hand, leaving a house unlocked does not automatically make trespassing legal. Regardless of legality, printer spam sill serves as a major annoyance and security vulnerability. If someone can send a print job to a printer, they can also use it as a beach head to gain unauthorized access to the network. While companies like Gmail, Outlook, and Yahoo! have powerful anti-spam filters, there is nothing stopping an improperly secured internet connected printer from becoming an easy target.
Security best practices dictate that any unused ports should be closed and unused services should be disabled and removed. Firewalls should only allow inbound access when absolutely required. Even when required, a strict and frequently updated access control list (ACL) should be enforced to ensure only authorized traffic is allowed. In most cases, printers only need internet access to retrieve security updates and patches. Like IoT devices, printers should be placed on a separate subnet than production traffic with tightly controlled and monitored access. The use of a cloud firewall makes this separation and administration simple and straightforward. The added benefit of an outbound web proxy is the visibility over that traffic to ensure connected devices are communicating with the correct and authorized servers.