The SANS Internet Storm Center has uncovered an innovative phishing campaign that relies on PDFs to harvest email credentials from victims.
Targets receive an email purporting to be from VetMeds, that has the subject line “Assessment document,” with a link to a single PDF. The message says that the file is encrypted and asks recipients to click a link to unlock it: “PDF Secure File UNLOCK to Access File Content.”
Clicking on the link opens the PDF using the computer’s default viewer, with a dialogue box asking the user to log in with his or her email credentials in order to gain access to the full document. Interestingly, the VetMeds ruse quickly breaks down: The actual PDF, which is hosted in Russia has to do with SWIFT (Society for Worldwide Interbank Financial Telecommunication) banking transactions.
“This is an untargeted phishing campaign. They are not going after the most sophisticated users. They are going after Joe Cubicle that may not think twice about entering credentials to unlock a PDF,” said John Bambenek, handler at SANS Internet Storm Center, speaking to Kaspersky Lab. “It doesn’t matter what email address or password you input into the fake unlocking mechanism. The document is opened and anything you input is transmitted to the spammer.”
As for avoiding falling victim, the key (as ever) is awareness.
“Be wary of emails from domains that don't match the contents, note that encrypted PDF documents are not locked this way (and will never ask you for your actual email password anyway), and look for other inconsistencies that give these away as scams,” said Bambenek in a posting. “Make sure users are aware of the little tell-tale signs below so they can stop themselves before becoming victims.”
Photo © 3Dillustrations