Hackers have been targeting PDF users with a new injection technique. PDF attachments have been commonly used as the Trojan horse that unleashes malware or ransomware onto unsuspecting email users. However, hackers are now targeting PDF files themselves using code-injection techniques. One such attack was discovered earlier this month that allows hackers to inject code that launches cross-site scripting attacks (XSS) within the PDF document itself. The end goal for these attacks is to extract sensitive data from the PDF files
According to the Open Web Application Security Project (OWASP), XSS attacks are commonly used to inject malicious scripts into otherwise benign and trusted websites. OWASP has ranked XSS attacks in their Top 10 Web Application Security Threats since they started publishing the famous list almost 20 years ago. When used within web applications, the end user’s browser has no way to know that the malicious script should not be trusted and thus executes it. By using the script, the attacker can then access cookies, session tokens or other sensitive information retained by the browser during the web session. XSS exploits can be implemented anywhere with a web application that uses input from a user within the output it generates without validating or encoding it.
Hackers are not using injection attacks to access ordinary office PDF files. The real target is the server-side PDF generated files that are created constantly in today’s digital world. They appear in the form of e-tickets, receipts, boarding passes, invoices, payslips and so on. If hackers can gain access to these documents and influence the structure of the PDF itself, they can inject code and capture the enclosed data. For instance, if an attacker can control part of a PDF that contains bank details, those details can be exfiltrated and uploaded to a holding site. When you realize the vast amount of PDF files and libraries we all work with, it is obvious why hackers are vigorously targeting them.
What makes XSS attacks possible is sloppy coding. In the same way that ordinary users take shortcuts when it comes to password creation, code developers often take shortcuts when writing Web 2.0 code. In the case of PDF file injections, it is due to PDF libraries failing to properly parse code of these types of escape characters in unprotected formats. In the case of this specific vulnerability, Adobe issued a security update on December 9 that remedies this security vulnerability. If your organization creates PDF of any form, it is highly recommended that you immediately install the update.
While TitanHQ can’t help you parse your PDF libraries, we can protect you from malware-infected PDF attachments. Our advanced email security solution called SpamTitan is designed to discover and eradicate email attachments that contain viruses and malicious code. It does this through the use of double antivirus protection and sandboxing techniques.
Get in contact with one of SpamTitan team members to learn how you can better protect against infected malware attachments.
Sign-up for email updates...