Fraudsters Using Fake Encrypted PDF to Phish for Victims’ Credentials


Attackers are purchasing fake encrypted PDF documents to try to phish for unsuspecting users’ login credentials.

John Bambenek, a handler at SANS Internet Electrical storm Center, disclosed the phishing campaign on 4 January. He found that the displeasing fraudsters are targeting users who lack a high level of security awareness.

As he told Threatpost:

“This is an untargeted phishing stump. They are not going after the most sophisticated users. They are contemporary after Joe Cubicle that may not think twice about entering credentials to unlock a PDF.”

The effort begins when a target receives an email from a school speciality. Each attack email comes with the subject “Assessment authenticate” and a PDF document. The attached document claims to contain a link regarding Vet Meds, a mark of medication for pets.

Source: SANS Internet Storm Center

That couldn’t be urge onwards from the truth. The document actually links to a Russian website for a action with the Society for Worldwide Interbank Financial Telecommunications (SWIFT), a banking network which saw its tolerable share of heists in 2016.

Bambenek provides more details in an Internet Raise the roof Center alert:

“The PDF itself was created with Microsoft Word and encompassed a link that suggested it was a locked document and you needed to click a connect to unlock it which pointed to chai[.]myjino[.]ru and gave a screen with a purported PDF behind it and a login box that it delightedly accepts.”

Source: SANS Internet Storm Center

This phishing throw isn’t picky when it comes to a victim’s login credentials. Any username and watchword combination will do. In fact, the fake login box will send on the other side of any information a user inputs into its two designated text fields.

Informant: SANS Internet Storm Center

Users can protect themselves against this push and others like it by looking for tell-tale signs that give the scam away. Fundamental, they should notice that the Russian website does not be equivalent to up to the school’s domain, a discrepancy which could suggest someone compromised an email account alliance to the latter.

Second, they should know that legitimate encrypted PDF records will never ask for a user to enter any of their account credentials in purchase to authenticate themselves. Instead it’ll ask for a password that’s usually unique to that specific document. It’ll look something like this:


Finally, users should in inclusive refrain from clicking on suspicious links and email attachments.

Leave a Reply

Your email address will not be published. Required fields are marked *