PDF files are widely used in various industries and are often used as official communication elements, which makes them ideal vehicles for the attackers to hide malicious code.
Cybercriminals have reviewed the main detection methods used by some of the main security providers for email and work so that their attacks are increasingly difficult to detect.
Why are PDF used? PDFs are sent in attachment, so they can evade the controls of automated detection systems. While this format has various specifications, criminals initially were fixed in vulnerabilities to exploit them for their benefit.
With the passage of time both browsers and PDF reading and editing software have been updating their detection methods and have reduced the vulnerabilities present in the format. However, PDFs are used in one of the practices that work best to obtain user data: Phishing. Attackers can send a PDF as if it were an official document (of a government company or institution) and include fraudulent pages to obtain information or download malware in the user’s equipment.
But to reach this point, some social engineering is required. The attackers already know if the user is signed to a streaming service, he is a specific bank or is interested in making a particular purchase, and then supplant that identity (that of the streaming service, the bank or the online store). Criminals can, for example, act in the name of the bank. They send false communication telling the user that thanks to their profile as a client has received a preferential credit rate and that you must click on a certain link to validate your information.
Once the user is in that link, the attack is displayed. On many occasions the genesis of cyber attacks is in the hidden email behind a seemingly harmless pdf file. Although this technique is little sophisticated, its simplicity makes it difficult to detect automated systems. The attainment of the attacker is to get the victim clicking on the link.
How do the unnoticed PDF pass?
What makes these campaigns difficult to detect is that attackers control all aspects of the message and can even edit it to supplant several organizations. These attacks involve human interaction (the victim must click on the link), which is usually an advantage for attackers. Automated detection systems have difficulties with tasks that require human decision making. To avoid being detected, threat actors use various techniques. Knowing them is essential to know how these attacks work and how to avoid them:
Redirection: The attackers use redirection services such as Bing, LinkedIn or the Google AMP, to mask the true destiny of the malicious link. These services (Bing, LinkedIn, etc.) are usually included in the white list of security suppliers, which makes it difficult to detect the threat by systems. QR codes: Another technique is to add QR codes to PDF files so that the user scans them with their phone. Thus the attackers completely avoid traditional URL scanners.
Telephone scams: In some cases, the attackers are based on social engineering to incite victims to call a phone number that appears in the document. Machine Learning: As security systems increasingly depend on Machine Learning (ML) to detect threats, attackers find ways to evade these models. A common technique is to add the text as an image. Instead of sending the text content in the PDF, criminals can use an image editor, write the text there and paste that image on the PDF. Security systems do not find text, which leads them to depend on the optical recognition of characters (OCR) that is prone to errors.
Chow to stay safe from PDF -based attacks. Next we will reveal some useful recommendations when evaluating the relevance of a PDF file and identify possible attacks. Always verify the sender. Even if the PDF seems legitimate, verify the email address of the sender. Cybercriminals often impersonate known brands to deceive him. Are there spelling errors obvious in the content of the mail? Can the mail url visit, is a genuine page? Check these details very well to have clues about the authenticity of communication.
Be careful with attachments. If I did not expect a PDF, especially one that asks you to click on a link, to scan a QR code, which calls a number, or worse, to contact the company to a number on WhatsApp, consider it suspicious.
Check the file extension. Suspect whether in the email when identifying the attachment sees the icon of a document in PDF, but when the cursor passes above, or when seeing the full name of the file it is noted that the extension is not .pdf but .exe, .bin or .txt. This is a very clear indicator: do not download or open that file.
Pass the cursor before clicking. If the previous filters passed them without problems (it looks like a genuine email address, it does not have spelling errors, use the same image of the organization, it is a PDF file, etc.), pass the cursor over the link in the PDF (without clicking) to obtain a preview of the complete URL.
If the link is not that of the company that claims to be representing, it can be a sign of a false link. Have special caution with shortened links or those that use redirection services such as Bing or LinkedIn. Use a safe PDF reader
Modern PDF browsers and readers have integrated security functions. Keep updated and avoid opening PDF files in unknown software or that is already obsolete or discontinued. Disable Javascript in PDF viewers
If your PDF reader admits Javascript (many do), deduct it unless it is absolutely necessary. This reduces the risk of attacks based on scripts. Keep the safety systems and tools updated. Make sure your operating system, browser and antivirus software are updated regularly. Patches are the first line of defense against vulnerabilities exploited in malicious PDFs.
Trust your instinct. If a PDF seems too good to be true, it has a strange format, it presents typographic errors, or requests credentials, it is likely to be a trap. Our brains can identify the details and alert us about anomalies that we do not always make aware. Emergency filter
Will the end of the world come if you do not respond to that application or do not enter the PDF link? If it is a task that you can expect, take the time to confirm it. Call the bank or the entity that is supposed to be contacting it and make sure that it is a genuine document. It will be better to take a little more time and confirm, instead of acting urgently. If it is an attack, there is little that can be protected after clicking.
*Marianela Zampatti Maida is Zma It Solutions Chairwoman.
By Marianela Zampatti Maida
