Stealing corporate credentials is a lucrative business in the underground markets. Threat actors have been found to go to various lengths to obtain those. Now, another group of cybercriminals has been observed impersonating Adobe online services and using fake notifications to lure their victims.
However, this service name does not exist. It is suspected to be impersonating genuine services, such as Acrobat online or Document Cloud.
The website link to download the shared file looks like an authentication window with a blurred interface of Adobe Acrobat Reader DC.
Despite the blurring, the EMInvoice_R6817-2p[.]pdf doesn’t match the authentication window. The window for downloading the file shows the other name Wire Transfer Receipt[.]pdf.
Additionally, the blurred document has Invoice written on it. However, the filename says receipt, which is confirmation for already received payment.
PDF in phishing emails
The use of malicious PDF files in phishing emails is prominently displayed in several recently observed attacks. A lot of incidents have witnessed attackers using PDF files to target unsuspecting users.
A week ago, a spear-phishing campaign was spreading the AsyncRAT payload using a malicious link in a well-crafted message. The phishing emails include malicious links hiding as PDF attachments.
Last month, cybercriminals behind the SolarMaker malware attack were found to be using PDFs. These malicious PDFs were filled with SEO keywords to steal data and passwords.
Phishing emails spoofing the names of well-known software to fool recipients is a common yet effective threat. A common set of security hygiene measures can greatly reduce the risk of infection from this threat. Companies can protect themselves by providing training to their employees about spotting phishing attacks. Moreover, they can use anti-phishing solutions and use security products with anti-phishing components.