Phishing Campaign Baits Hook With Malicious Amazon PDFs

Researchers are highlighting the rise of a new phishing tactic: a campaign that uses PDF documents to trick victims by announcing expired Amazon Prime memberships.

Users are targeted by email and, after clicking on the PDFs, are taken to pages that impersonate Amazon, where they are urged to input their personal details and credit card information.

The researchers at Palo Alto Networks Unit42 who discovered the campaign have collected 31 PDF files with links to these phishing sites, none of which had been submitted to VirusTotal.

The chain of events in the phishing attack begins with the email containing the PDF attachment. Once clicking on the link from the PDF, the victim is redirected from the initial URL to subdomains of duckdns[.]org that host the phishing website.

"These phishing websites use cloaking to redirect scans and other analysis attempts to benign domains," the researchers wrote. These domains for most of the initial and intermediate staging URLs are hosted on the same IP address.

There are four initial links used in the campaign that potential victims should be wary of:

"The initial attack vector, where users are beguiled into opening an email attachment containing a PDF file, is a stark reminder of the importance of remaining vigilant of emails," Javvad Malik, lead security awareness advocate at KnowBe4, wrote in an emailed statement. "Emails still remain the most popular attack avenue for phishing, so it's important that people have the right education and tools at their disposal to be able to effectively identify and report any suspicious activity."