Spam and phishing

A Phishing Trampoline – embedding redirects in PDF documents

Today I ran into a typical fraud email claiming to come from a U.S. bank but with a twist! Analyzing the attachment, it turns out that there’s no malware inside but instead a new middle step to fool lesser security software.

Phishing email

The original file name is “Swift confirmation .pdf” and it was created using Microsoft Word 2010.

/Author(Unknown)/CreationDate(D:20150814180000-04’00’)/Creator(Microsoft« Word 2010

So, if it is not malware then what’s the catch?

Well, this is a ‘Mediabox’-clickable document file used to redirect victims to a phishing website.

Swift confirmation

If the victim clicks on ‘View pdf File’ then it first opens a redirector website and then finally makes the jump to a server located in Chile that actually hosts the phishing attempt.

Mediabox
Capture

This is an interesting technique that would fool some Anti-Phishing filters based on analysis of the URLs in the  embedded  email messages themselves.

A Phishing Trampoline – embedding redirects in PDF documents

Your email address will not be published. Required fields are marked *

 

Reports

APT trends report Q3 2024

The report features the most significant developments relating to APT groups in Q3 2024, including hacktivist activity, new APT tools and campaigns.

Subscribe to our weekly e-mails

The hottest research right in your inbox