Trends in Phishing with PDF Files

Posted by Trevagh Stankard on Tue, Jun 8th, 2021

An uptick in phishing started in 2020 with the pandemic lockdowns, and it continues to be a serious cybersecurity threat in 2021. Attackers change their methods as more people become aware of their scams and cybersecurity defenses work effectively to stop them. One of the latest trends in phishing involves PDF files.

PDF files allow users to share rich-text information including links, images, animation, and even internal scripts linked to the file. In the latest group of attacks, phishing campaigns include PDF attachments that perform various methods to redirect users to a malicious site in an attempt to steal user information. Here are several PDF phishing attacks to look out for in 2021:

Fake CAPTCHA Redirects

A CAPTCHA is a recognized symbol for anyone who uses the internet, so it’s an easy and convenient way to trick users into clicking a link. In this phishing campaign, an attacker inserts an image of the common Google CAPTCHA interface.

Users recognize the image and click “Continue” and expect to see a site recognizable to them. When the link is clicked, the user is redirected to an attacker-controlled site where users are asked to enter their private information.

Using Popular Logos for Malicious Redirects

It’s easy to get users to click links generated from recognizable logos. When attackers use a logo from a well-known brand, they can trick users into clicking the logo. With this attack, an image of a popular brand is included in the PDF file with the promise of a discount. It looks like a common brand sale, so it tricks users into click the image.

After the user clicks the image, a browser opens and targets a redirect site. The redirect site then sends the user to an attacker-controlled phishing page. Similar to the CAPTCHA scam, users who don’t notice the redirect will think that they are accessing a popular site and might enter their private information or login credentials to access the site.

Play Buttons on Static Images

When you see a play button on an image, your first instinct is to click the button and watch the videos. This natural reaction to a play button is what attackers expect when they send a PDF file with a static image containing a video-like play button.

This scam is common in phishing attacks targeting cryptocurrency traders and investors. PDF readers open the file, and users click the link on the fake video image. Instead of playing a video, users are redirected to a malicious site that prompts victims to enter their credit card information for a dating website.

File Sharing and Phishing

Most users have either a Google Drive account or a Microsoft OneDrive account. Gaining access to either one of these accounts provides attackers with plenty of documentation and private data from files stored on these cloud drive accounts. Attackers use image links in PDF files to trick users into divulging their user credentials so that they can access targeted victim accounts.

The image displays a prompt to access a file that the user instinctively knows should open their cloud drive, but instead a phishing page opens when the user clicks the link. This phishing page looks exactly like OneDrive or Google Drive’s landing page, so users who do not notice the domain name in their browser window will instinctively enter their username and password. After they enter this information, it’s sent to the attacker who can then access the cloud drive account.

Ecommerce Site Scams

Just like logos, using popular logos is much more convincing than using unknown brand images. Logos for sites like eBay, PayPal, Microsoft, Google, and Amazon are known globally, so attackers have many potential victims when they send phishing emails to thousands of recipients.

The latest phishing attacks using PDF files include common e-commerce logos to convince readers to click links. Ecommerce sites contain private information and credit card data, so attackers can steal products using the targeted victim’s information. For example, the PDF file might contain the Amazon log and ask users to click the link to purchase products. Instead of opening Amazon in the user’s browser, an attacker-controlled website masquerading as the legitimate site asks users to authenticate. When users enter credentials into the phishing site, an attacker now has their login information to access their e-commerce account.

Conclusion

Phishing attacks still maintain the number one threat against users and businesses. Use email filters to stop these attacks. Email filters detect malicious attachments and block them from reaching the recipient’s inbox. Using email cybersecurity, businesses can greatly reduce the risk of phishing and becoming the next victim.

SpamTitan email filter blocks spam, viruses, malware, phishing attempts and other email threats for businesses, MSP's and schools all around the globe. Discover the full feature set of SpamTitan in the demo. View Demo.