Threat Overview

A recent phishing campaign has emerged, employing a new tactic that uses malicious PDF files to trick victims into revealing their personal and financial information. Researchers at Palo Alto Networks Unit42 have discovered this technique, as outlined in the report ‘Phishing Campaign Baits Hook With Malicious Amazon PDFs’.

Report Summary

The phishing campaign, suspected to be from a threat actor group known for its previous targeted attacks, uses PDF files disguised as Amazon order confirmations or shipping notifications. Once opened, victims are directed to a fake Amazon login page where their credentials are harvested.

The malicious PDFs exploitation follows two stages:

1. Lure: The victim receives an email with the malicious PDF attachment, prompting them to review their recent Amazon orders or track a package.
2. Exploitation: Once opened, the PDF displays what appears to be an Amazon webpage, asking for login credentials.

Recommendations

Based on this threat report, consider implementing these recommendations to improve your organization’s security posture:

• Enhance email security filters to block suspicious external emails.
• Educate users about identifying potential phishing attempts:
  • Be suspicious of unsolicited emails containing attachments or hyperlinks.
  • Look out for spelling and grammatical errors in the message body.
  • Hover over links without clicking them to see if they direct to malicious websites.
• Implement a comprehensive security awareness program to keep users updated about emerging threats.
• Consider enabling multi-factor authentication (MFA) wherever possible to reduce the impact of credential harvesting.

External References

The threat report and additional details can be found at:

• Dark Reading: https://www.darkreading.com/cyberattacks-data-breaches/phishing-campaign-malicious-amazon-pdfs