New phishing schemes are constantly developed by threat actors to trick people into disclosing sensitive information or downloading malicious files that provide the attacker with remote access to their devices. This month, two campaigns have been identified that use PDF files to hide the phishing content from email security solutions, one of which uses a lure of expired Amazon Prime memberships, and the other impersonates the US Postal Service and advises the recipient about a failed delivery.
Amazon Prime Phishing Campaign
The emails in this phishing campaign appear to have been sent by Amazon Prime and include a PDF file attachment. The PDF file advises the recipient that their membership is due to expire on a specified date; however, the card Amazon has on file is no longer valid. In order to continue with the membership, new card details must be supplied; however, attempts will first be made to charge the membership to all other cards on the account. Users are warned that if payment is not made, the account will be suspended.
Due to the huge number of Amazon Prime members, the emails have a good chance of landing in the inbox of an Amazon Prime subscriber; however, anyone who has previously had an Amazon Prime membership may be tricked into following the link in the PDF to ensure that the cards on file will not be charged.
If the link is clicked, the user is directed to a URL (a duckdns.org subdomain) that displays an exact copy of the Amazon sign-in page. If they attempt to log in, they are asked to secure their account by confirming their identity and are told to sign out of all web apps, devices, and web browsers. The “Verify Your Identity” page asks for their full name, date of birth, Social Security number, phone number, and full address. They are then taken to a page where they are asked to enter their payment card information. In addition to fraudulent charges to their card, the theft of personal information puts victims at risk of identity theft.
US Postal Service Phishing Campaign
A large-scale phishing campaign is being conducted impersonating the US Postal Service that similarly uses malicious PDFs. This campaign specifically targets mobile devices with the aim of harvesting personal information. More than 630 phishing pages have been identified as part of this campaign targeting individuals in more than 50 countries. The PDF files use a novel technique for hiding the phishing URL from email security solutions, making it harder to identify and extract the URL for analysis.
Text messages are sent that advise the recipient that a package has arrived at a USPS distribution center; however, the package cannot be delivered due to incomplete address information. A link is included to a web-hosted PDF file that the recipient is told they must click to complete the address information. The link directs the user to a phishing page, where they must enter their full address, email address, and contact telephone number into the form. They are then asked to pay a small service charge for redelivery – $0.30 – and must submit their card details.
Improve Your Phishing Defenses
These are just two examples of new phishing campaigns that use PDF files to hide phishing links from email security solutions. PDF files are commonly used for this purpose as they can contain clickable links, scripts, and even malicious payloads. What makes the attacks even more effective is when they target mobile devices, which have smaller screens that make it harder to view the URL, thus making it easier to hide a domain unrelated to the company being impersonated. Mobile devices also tend to have weaker security than desktop computers and laptops.
Businesses should ensure they conduct regular security awareness training to teach cybersecurity best practices, warn employees about cyber threats, and teach the skills needed to identify phishing and social engineering attempts. Training should be an ongoing process and should include the latest scams and new techniques used by cybercriminals to target employees, especially campaigns targeting mobile devices as malicious text messages are harder to block than malicious emails. An advanced email security solution should be implemented that has AI and machine learning capabilities, and email sandboxing to analyze emails and attachments in-depth to identify malware, malicious scripts, and embedded hyperlinks.
TitanHQ can help in both of these areas. SafeTitan is a comprehensive security awareness training platform that makes it easy to create and automate security awareness training for the workforce. The platform includes a phishing simulator for conducting internal phishing campaigns to reinforce training and identify individuals who are susceptible to phishing attempts.
TitanHQ’s cloud-based anti-spam service – SpamTitan is an advanced email security solution for blocking the full range of email threats including phishing, spear phishing, business email compromise, and malware. In independent tests, SpamTitan achieved 1st spot for detection, blocking 100% of phishing attempts, 100% of malware, and 99.999% of spam emails, with a 0.000% false positive rate.
For more information on cloud-based email filtering and attachment and message sandboxing with SpamTitan and security awareness training and phishing simulations with SafeTitan, give the TitanHQ team a call. All TitanHQ solutions are available on a free trial, and MSP-focused solutions are available to easily add advanced anti-phishing and security awareness training to service stacks.