{"id":6403,"date":"2017-01-26T18:00:40","date_gmt":"2017-01-27T02:00:40","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/01\/26\/news-240\/"},"modified":"2017-01-26T18:00:40","modified_gmt":"2017-01-27T02:00:40","slug":"news-240","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/01\/26\/news-240\/","title":{"rendered":"Phishers unleash simple but effective social engineering techniques using PDF attachments"},"content":{"rendered":"

The Gmail phishing attack<\/a>\u00a0is reportedly so effective that it tricks even technical users, but it may be just the tip of the iceberg. We\u2019re seeing similarly simple but clever social engineering tactics using PDF attachments.<\/p>\n

These deceitful PDF attachments are being used in email phishing attacks that attempt to steal your email credentials. Apparently, the heightened phishing activity that we have come to expect every year during the holiday season has not subsided.<\/p>\n

Unlike in other spam campaigns, the PDF attachments we are seeing in these phishing attacks do not contain malware or exploit code. Instead, they rely on social engineering to lead you on to phishing pages, where you are then asked to divulge sensitive information.<\/p>\n

At Microsoft Malware Protection Center, we continuously monitor the threat landscape for threats such as these PDF files that arrive via email and execute their payload from the web. We do this, not only so we can create security solutions for the latest threats, but also so we understand cybercriminal\u2019s newest schemes and warn customers.<\/p>\n

Awareness is an effective weapon against social engineering. We\u2019re sharing some examples of these PDF attachments, including one that spoofs Microsoft Office, so you are armed with knowledge that you can use to detect these social engineering attacks.<\/p>\n

Example 1: You received a document that Adobe Reader can\u2019t display because it\u2019s a protected Excel file, so you need to enter your email credentials<\/h2>\n

Attachment file type<\/strong>: PDF
Filename<\/strong>: Quote.pdf
Info stolen<\/strong>: Email credentials
Windows Defender detection<\/strong>: Trojan:Win32\/Pdfphish.BU<\/a><\/p>\n

One example of the fraudulent PDF attachments\u00a0is carried by email messages that pretend to be official communication, for instance, a quotation for a product or a service, from a legitimate company. These email messages may spoof actual people from legitimate companies in order to fake authenticity.<\/p>\n

\"1\"<\/p>\n

When you open the attachment, it\u2019s an actual PDF file that is made to appear like an error message. It contains an instruction to \u201cOpen document with Microsoft Excel\u201d. But it\u2019s actually a link to a website.<\/p>\n

\"pdf-example-1-screenshot-1\"<\/p>\n

Clicking the link opens your browser and brings you to a website, where the social engineering attack continues with a message that the document is protected because it is confidential, and therefore you need to sign in with your email credentials.<\/p>\n

\"pdf-example-1-screenshot-2\"<\/p>\n

If you\u2019re using Microsoft Edge, Microsoft SmartScreen will block this website, stopping the phishing attack.<\/p>\n

\"block1\"<\/p>\n

However. if you\u2019re using a browser that does not block the website and you click OK, you are led to the phishing site, which asks you to enter your email address and password. The website is designed to appear like you are opening an Excel file. The website goes to great lengths to mimic Microsoft Excel Online, but what you see in the site is not an Excel file, but just an image.<\/p>\n

\"pdf-example-1-screenshot-3\"<\/p>\n

If you fall for this social engineering trick and enter your details, you are redirected to the site below, which says you entered your details incorrectly. But at this point, the attackers will have your email credentials. Once they have access to your email, the attackers can launch further phishing attacks against your contacts, or gain access to your social networking, online banking, or online gaming accounts.<\/p>\n

\"pdf-example-1-screenshot-4\"<\/p>\n

Example 2: You received a PDF file from Dropbox and need to log in using your email credentials<\/h2>\n

Attachment file type<\/strong>: PDF
Filename<\/strong>: ScannedbyXerox.pdf
Info stolen<\/strong>: Gmail, Outlook, AOL, Yahoo!, Office 365 credentials
Windows Defender detection<\/strong>: PWS:HTML\/Misfhing.B<\/a><\/p>\n

Another example of these PDF attachments put on pretense that you need to sign in to online storage provider Dropbox to access your document. Just like the first example, this PDF document does not have malicious code, but contains a link to \u201cView .PDF online\u201d.<\/p>\n

\"pdf-example-2-screenshot-1\"<\/p>\n

Clicking the link takes you to a fake Dropbox login page that gives you options to sign in using your Google, Outlook, AOL, Yahoo!, Office 365 or other email credentials.<\/p>\n

\"pdf-example-2-screenshot-2\"<\/p>\n

Microsoft Edge users are protected from this threat. Using Microsoft SmartScreen, it stops this phishing attack from loading or serving further offending pages.<\/p>\n

\"block2\"<\/p>\n

On the phishing page,\u00a0options are tailored to look like a legitimate email sign in page. For example, clicking the Office 365 option brings up a window that may look authentic to an untrained eye.<\/p>\n

\"pdf-example-2-screenshot-3\"<\/p>\n

It\u2019s the same level of customization for the other options. For example, for the Google option, the window first asks you to choose whether you\u2019d like to sign in using your organizational or individual account. This step is not present in the actual Google sign in process, but this may be done to help the attackers identify business-related account credentials. It then brings up the sign in page.<\/p>\n

\"pdf-example-2-screenshot-4\"<\/p>\n

\"pdf-example-2-screenshot-5\"<\/p>\n

If you enter your details, an actual PDF document (hosted in Google Drive, not Dropbox) is opened in a window.<\/p>\n

\"pdf-example-2-screenshot-6\"<\/p>\n

As part of the social engineering tactic, this is done so you don\u2019t immediately suspect you were phished. By this time, the attackers will have your credentials. This last step can buy them more time to use your credentials before you realize you need to change your password.<\/p>\n

Other examples: Enter your email credentials to access or download your file<\/h2>\n

We have seen other examples of PDF files being distributed via email and exhibiting the same characteristics. Just like the first two cases, these PDF files don\u2019t contain malicious code, apart from a link to a phishing site. All of them carry the message that you need to enter your email credentials so that you can view or download the document. All of these attachments are detected as variants of Trojan:Win32\/Pdfphish<\/a>.<\/p>\n

\"pdf-example-3\" \"pdf-example-4\" \"pdf-example-5\" \"pdf-example-6\" \"pdf-example-8\" \"pdf-example-7\"<\/p>\n

How to stay safe from phishing attacks<\/h2>\n

As we saw from these examples, social engineering attacks are designed to take advantage of possible lapses in decision-making. Awareness is key; that is why we\u2019re making these cybercriminal tactics known.<\/p>\n

Don\u2019t open attachments or click links in suspicious emails. Even if the emails came from someone you know, if you are not expecting the email, be wary about opening the attachment, because spam and phishing emails may spoof the sender.<\/p>\n

In these times, when we\u2019re seeing heightened phishing attacks with improved social engineering techniques, a little bit of paranoia doesn\u2019t hurt. For instance, question why Adobe Reader is trying to open an Excel file. Ask why Dropbox is requiring you to enter your email credentials, not your Dropbox account credentials.<\/p>\n

For more information, download and read this Microsoft e-book on preventing social engineering attacks<\/a>, especially in enterprise environments.<\/p>\n

Using a secure platform like Windows 10 will let you take advantage of security features that can help identify and stop phishing attacks:<\/p>\n