The latest PDF phishing trends of 2020
Tempo di lettura stimato: 9 minuti
There was a dramatic 1160% increase in malicious PDF files in 2019-2020. It went from 411,800 malicious files to 5,224,056. PDF files are an enticing vector of phishing as they are cross-platform and allow attackers to engage more users, making their scam schemes more credible than a text email with a simple link.
To lure users to click on links and buttons embedded in phishing PDF files, there are five main schemes used by attackers: Fake Captcha, Coupon, Play Button, File Sharing and E-commerce.
Data collected from the platform WildFire by Palo Alto Networks was used to analyze the trends . A subset of phishing PDF samples were collected throughout 2020 on a weekly basis. Over 5 million cases of phishing with PDF were analyzed for 2020 alone and the increase in the incidence compared to the total number of documents sent rose by 1160%.
In particular: in 2019 the total number of files analyzed was 4.5 billion, of which about 411 thousand were found to be malware (0.009%). In 2020, following the analysis of over 6.7 billion documents, 5.2 million were found to be phishing vectors with PDF (0.08%).
Phishing with PDF, the most commonly analyzed methods
Five major phishing schemes have been identified from the dataset and will now briefly analyze them in order of distribution. It is important to keep in mind that files used in PDF phishing attacks often act as a secondary step and work together with their carrier (for example, an email or article containing them).
1. Fake CAPTCHA
PDF files Fake CAPTCHA , as the name suggests, require users to verify themselves through a fake CAPTCHA . CAPTCHAs are challenge-response tests that help determine whether a user is human or not.
However, the observed PDF phishing cases do not use a real CAPTCHA, but an image depicting a CAPTCHA test . As soon as users try to “verify” by clicking the continue button, they are taken to a website controlled by the attacker.
The figure below shows an example of a PDF file with a fake CAPTCHA embedded, which is just a clickable image.
The second category identified are coupon themed phishing PDF files and often used the logo of a major oil company .
A significant amount of these files were in Russian with notes like “ПОЛУЧИТЬ 50% СКИДКУ” and “ЖМИТЕ НА КАРТИНКУ” which translate to “get 50% off” and “click on the picture” respectively. The figure below shows an example of these types of phishing PDF files:
Similar to other campaigns seen in the past, these PDF phishers have also taken advantage of traffic redirection for the reasons mentioned above . Analyzing several of them, it was found that they use two traffic redirectors. The figure below shows the chain of a sample:
The entry website took us to another website (
track [.] backtoblack.xyz ), on which another redirect was set.
Eventually, you are directed to an adult dating site through a GET request with some parameters filled in such as
click_id , which can be used for page monetization. All these redirects occurred through HTTP 302 redirect messages. Research showed that the
offer_id parameter of
backtoblack [.] Xyz controls which site the user ends up on .
3. Static image with a play button
These PDF phishing scams don’t necessarily carry a specific message, as they are mostly static images with a video play button superimposed, so they look like videos you need to start.
Although different categories of images were observed, a significant part of them used nudity or specific economic / monetary themes as the subject such as Bitcoin, stock charts and the like to lure users to click on the play button.
The image below shows a PDF file with a Bitcoin logo and a clickable play button.
By clicking the play button, as you can guess, you are redirected to another website. In most of the tests carried out, the redirect pointed to
https: // gerl-s [.] online /? s1 = ptt1 .
From the domain name, one could assume that the site is also in the realm of online dating. However, at the time of this writing, the site has been removed. Unlike the previous campaign, there was only one redirect involved , and it was noted that all redirects had the following format:
id-6-alphanumeric-characters [dot] sed followed by a main domain, similar to those listed below:
http://pn9yozq[.]sed.notifyafriend.com/ http://l8cag6n[.]sed.theangeltones.com/ http://9ltnsan[.]sed.roxannearian.com/ http://wnj0e4l[.]sed.ventasdirectas.com/ http://x6pd3rd[.]sed.ojjdp.com/ http://ik92b69[.]sed.chingandchang.com/
4. Sharing files
This category of PDF phishing uses popular online file sharing services to grab the user’s attention . They often inform the user that someone has shared a document with them. However, for reasons that may vary from one PDF file to another, the user cannot see the content and apparently has to click on an embedded button or link . The image above shows a PDF with a Dropbox logo asking the user to click on the button to request access.
Below, similarly, an image of a PDF file with a OneDrive logo, prompts the user to click on “Access Document” to view the contents of the file.
As the number of cloud-based file sharing services grows, it wouldn’t be surprising to see this theme grow and continue to be among the most popular approaches.
Clicking the “ Access Document ” button takes you to a login page with an Atlassian logo, as shown below. There are two options to use for logging in: Microsoft email or other email services.
Atlassian Stack is geared towards business, so we assume this campaign was aimed at business users. Each of these links has been designed to resemble a legitimate email login page.
For example, “ Continue with Microsoft ” takes you to a page that looks somewhat similar to the one you come across upon entering the legitimate https://login.live.com , as shown below:
After entering an email address, we proceed to another page that asks us to enter our password.
It was observed that the stolen credentials were sent to the attacker’s server through parameters in a GET request.
After entering your credentials, you are returned to the first login page.
We would like to point out that, when we visited this site, it was already reported as phishing by major browsers such as Google Chrome and Mozilla Firefox.
However, during the research, we proceeded to test the whole path with fake credentials to further investigate and investigate the method of phishing with PDF.
Embedding e-commerce themes in emails and phishing documents with PDF is not a new trend. However, there has been an upward trend in the number of fraudulent PDF files that have used brands of international e-commerce to induce users to click on embedded links.
The image below shows an example of a PDF phishing scam that notifies the user that their credit card is no longer valid and that they must “ update their payment information ” in order not to interrupt. the benefits of Amazon Prime .
Similarly, another image below shows a document that informs the user that their Apple ID account will be suspended if they do not click on the link to update their information.
At the time of analyzing the data for the purposes of this article, all websites in this specific PDF phishing campaign have been deleted. It is worth noting that most of these e-commerce themed files used
https: //t.umblr [.] Com / for redirection purposes.
We’ve covered the most common PDF phishing campaigns of 2020 along with their distribution and general functioning. Data from recent years shows that the amount of phishing attacks continues to increase and social engineering is the main vector for attackers to take advantage of users.
Previous research has shown that large-scale phishing can have a click-through rate of up to 8% . Therefore, it is important to double-check and double-check files that you receive unexpectedly, even if they come from an organization you know and trust.
For example, why was your account blocked out of thin air, or why did someone share a file with you when you least expected it?
It is with a critical eye and thinking before acting that you are best protected against phishing campaigns of any kind. We have seen several times how damaging phishing attacks can be that hit , so we recommend that you evaluate our ethical phishing service for your company’s employees.
Through ethical phishing campaigns we will be able to test employees and retrieve important data that will then be used to design and carry out specific training tailored to the people involved.
To find out more, contact us, we will be happy to answer any questions.
- “Left of boom” and “right of boom”: having a winning strategy
- Smishing: a fraud similar to phishing
- Network Traffic Analyzer: an extra gear for the Next Gen SIEM
- The importance of Cyber Threat Intelligence
- Red Team, Blue Team and Purple Team: what are the differences?
- Magecart attack: what it is and how to protect yourself
- 9 reasons why you should consider using a VPN
- The latest PDF phishing trends of 2020
- Backup as a Service (2)
- Cloud Conference (3)
- Cloud CRM (1)
- Cloud Server/VPS (20)
- Conferenza Cloud (4)
- ICT Monitoring (4)
- Log Management (2)
- News (18)
- ownCloud (4)
- Privacy (7)
- Secure Online Desktop (14)
- Security (13)
- Web Hosting (15)
- 8 Security Tools to be Unveiled at Black Hat USA July 28, 2021Security researchers and practitioners share a host of new cyber tools for penetration testing, reverse engineering, malware defense, and more.
- Biden Administration Responds to Geopolitical Cyber Threats July 23, 2021In response to growing concerns regarding the recent uptick in large-scale, nation-state-backed ransomware attacks on critical infrastructure, the Biden administration is taking new action to tackle the evolving challenges posed by ransomware attacks.
- 7 Hot Cyber Threat Trends to Expect at Black Hat July 22, 2021A sneak peek of some of the main themes at Black Hat USA next month.
- Law Firm for Ford, Pfizer, Exxon Discloses Ransomware Attack July 19, 2021Campbell Conroy & O'Neil reports the attack affected personal data including Social Security numbers, passport numbers, and payment card data for some individuals.
- US Accuses China of Using Criminal Hackers in Cyber Espionage Operations July 19, 2021DOJ indicts four Chinese individuals for alleged role in attacks targeting intellectual property, trade secrets belonging to defense contractors, maritime companies, aircraft service firms, and others.
- How Gaming Attack Data Aids Defenders Across Industries July 19, 2021Web application attacks against the video game industry quadrupled in 2020 compared to the previous year, but companies outside entertainment can learn from the data.
- NSO Group Spyware Used On Journalists & Activists Worldwide July 19, 2021An investigation finds Pegasus spyware, intended for use on criminals and terrorists, has been used in targeted campaigns against others around the world.
- When Ransomware Comes to (Your) Town July 19, 2021While steps for defending against a ransomware attack vary based on the size of the government entity and the resources available to each one, rooting out ransomware ultimately will come down to two things: system architecture and partnerships.
- Breaking Down the Threat of Going All-In With Microsoft Security July 19, 2021Limit risk by dividing responsibility for infrastructure, tools, and security.
- 7 Ways AI and ML Are Helping and Hurting Cybersecurity July 19, 2021In the right hands, artificial intelligence and machine learning can enrich our cyber defenses. In the wrong hands, they can create significant harm.
- Backdoor.Win32.Nbdd.bgz / Remote Stack Buffer Overflow July 27, 2021Posted by malvuln on Jul 26Discovery / credits: Malvuln - malvuln.com (c) 2021 Original source: https://malvuln.com/advisory/6fab73bf104c6a9211b94f9559faa134.txt Contact: malvuln13 () gmail com Media: twitter.com/malvuln Threat: Backdoor.Win32.Nbdd.bgz Vulnerability: Remote Stack Buffer Overflow Description: NetBot_Attacker VIP 5.9 on initial startup listens on port 8080 and on subsequent restarts port 80. Third-party attackers who can reach an infected system […]
- Backdoor.Win32.Bifrose.acci / Local Stack Buffer Overflow July 27, 2021Posted by malvuln on Jul 26Discovery / credits: Malvuln - malvuln.com (c) 2021 Original source: https://malvuln.com/advisory/611dbff0d68df777c6d6881e00440143.txt Contact: malvuln13 () gmail com Media: twitter.com/malvuln Threat: Backdoor.Win32.Bifrose.acci Vulnerability: Local Stack Buffer Overflow Description: Bifrost doesn't properly validate the IP address when importing Bifrost settings (.set) files. The IP address offset is located after a NULL byte which […]
- Backdoor.Win32.PsyRat.b / Remote Denial of Service July 27, 2021Posted by malvuln on Jul 26Discovery / credits: Malvuln - malvuln.com (c) 2021 Original source: https://malvuln.com/advisory/5817183894cb513239f6aef28895130c_B.txt Contact: malvuln13 () gmail com Media: twitter.com/malvuln Threat: Backdoor.Win32.PsyRat.b Vulnerability: Remote Denial of Service Description: The PsyRAT 1.02 malware listens by default on TCP port 9863. Third-party attackers who can reach infected systems can send a specially crafted command […]
- Backdoor.Win32.PsyRat.b / Unauthenticated Remote Command Execution July 27, 2021Posted by malvuln on Jul 26Discovery / credits: Malvuln - malvuln.com (c) 2021 Original source: https://malvuln.com/advisory/5817183894cb513239f6aef28895130c.txt Contact: malvuln13 () gmail com Media: twitter.com/malvuln Threat: Backdoor.Win32.PsyRat.b Vulnerability: Unauthenticated Remote Command Execution Description: The PsyRAT 1.02 malware listens by default on TCP port 9863, but can be changed when building backdoor servers. Third-party attackers who can reach...
- Backdoor.Win32.Agent.cu / Unauthenticated Remote Command Execution July 27, 2021Posted by malvuln on Jul 26Discovery / credits: Malvuln - malvuln.com (c) 2021 Original source: https://malvuln.com/advisory/ce1963d3fd6a8e1383aac40a1f1c4107_C.txt Contact: malvuln13 () gmail com Media: twitter.com/malvuln Threat: Backdoor.Win32.Agent.cu Vulnerability: Unauthenticated Remote Command Execution Description: The malware listens on TCP ports 10426, 56185. Third-party attackers who can reach infected systems can execute commands made available by the backdoor....
- Backdoor.Win32.Agent.cu / Port Bounce Scan (MITM) July 27, 2021Posted by malvuln on Jul 26Discovery / credits: Malvuln - malvuln.com (c) 2021 Original source: https://malvuln.com/advisory/ce1963d3fd6a8e1383aac40a1f1c4107_B.txt Contact: malvuln13 () gmail com Media: twitter.com/malvuln Threat: Backdoor.Win32.Agent.cu Vulnerability: Port Bounce Scan (MITM) Description: The malware listens on TCP ports 10426, 56185, its FTP component accepts any username/password credentials. Third-party attackers who successfully logon can abuse the...
- Backdoor.Win32.Agent.cu / Authentication Bypass RCE July 27, 2021Posted by malvuln on Jul 26Discovery / credits: Malvuln - malvuln.com (c) 2021 Original source: https://malvuln.com/advisory/ce1963d3fd6a8e1383aac40a1f1c4107.txt Contact: malvuln13 () gmail com Media: twitter.com/malvuln Threat: Backdoor.Win32.Agent.cu Vulnerability: Authentication Bypass RCE Description: The malware listens on TCP ports 10426, 56185. Third-party attackers who can reach infected systems can logon using any username/password combination. Intruders may then...
- Backdoor.Win32.Mazben.me / Unauthenticated Open Proxy July 27, 2021Posted by malvuln on Jul 26Discovery / credits: Malvuln - malvuln.com (c) 2021 Original source: https://malvuln.com/advisory/6681d5e4b68abd21a14c704edf9e2ff5.txt Contact: malvuln13 () gmail com Media: twitter.com/malvuln Threat: Backdoor.Win32.Mazben.me Vulnerability: Unauthenticated Open Proxy Description: The malware listens on random TCP ports like 3515, 7936, 3972. Third-party attackers who can connect to the infected system can relay requests from the […]
- Backdoor.Win32.Hupigon.aaur / Unauthenticated Open Proxy July 27, 2021Posted by malvuln on Jul 26Discovery / credits: Malvuln - malvuln.com (c) 2021 Original source: https://malvuln.com/advisory/16d598c01f7b391986c8c19eded005b1.txt Contact: malvuln13 () gmail com Media: twitter.com/malvuln Threat: Backdoor.Win32.Hupigon.aaur Vulnerability: Unauthenticated Open Proxy Description: The malware listens on TCP port 8080. Third-party attackers who can connect to the infected system can relay requests from the original connection to the...
- ATLASSIAN - CVE-2020-36239 - Jira Data Center and Jira Service Management Data Center July 27, 2021Posted by Atlassian on Jul 26This email refers to the advisory found at https://confluence.atlassian.com/adminjiraserver/jira-data-center-and-jira-service-management-data-center-security-advisory-2021-07-21-1063571388.html CVE ID: * CVE-2020-36239 Products: Jira Data Center, Jira Core Data Center, Jira Software Data Center, and Jira Service Management Data Center. Affected Versions - Jira Data Center, Jira Core Data Center, and Jira Software Data Center: 6.3.0
Estimated reading time: 6 minutes Every day we hear about some new technology threats or vulnerabilities. Latel… https://t.co/YyZZPgyV6h
Estimated reading time: 6 minutes Every day we hear about some new technology threats or vulnerabilities. Latel… https://t.co/uV5QZuvPVS
Tempo di lettura stimato: 6 minuti Ogni giorno sentiamo parlare di qualche nuova minaccia o vulnerabilità in ambi… https://t.co/nlHWBfE6QU
Tempo di lettura stimato: 9 minuti Agile working and smart working are now a daily reality for many workers. W… https://t.co/FXpigfCLJ8
Tempo di lettura stimato: 9 minuti Ormai, lavoro agile e smart working sono una realtà quotidiana per molti lavor… https://t.co/AVUdOnRQB7