October 16, 2018

Fake password protected files.

By Michael Aminov, Founder & Chief Architect

Phishing via email has always been a core attack technique. Simply sending an email with a link to a deceptive website with a fake login is a favorite move. Recently, we have observed frequently utilized evolutions of this technique – where attackers leverage a fake login to trick the user into exposing his username and password by presenting fake files that require one to “login” in order to view the content of the file.

The attack involves sending an email with a legit looking document (either a PDF or Office file). The files don’t have any malicious content inside such as macros or exploits, and therefore easily bypass the most popular email security solutions.

When opening the file, the user will see some blurred content in the background and a claim that the file is protected by password or only available in the cloud. Therefore requiring the user to login to his account in order to view the content.

In the next image we can see an example of an email sent to one of our financial institution customers. As you see there’s a PDF attachment with a link inside leading to a fake Adobe login screen.

Here is a similar example with an Excel file:

Summary.

These phishing attempts can be more effective than just sending a link inside an email. First, they easily bypass email security solutions that only scan URLs placed directly inside emails (for example Office 365 “safe links”). Second because it creates a call-to-action for the busy end user – the email is already in his inbox, he his seeing some blurry content that be believes he needs to access and all that’s left is to do a quick “login”.

The way Perception Point is able to identify this technique as malicious, and block it before it reaches the user, is thanks to our Recursive Unpacker, which “unpacks” several layers of files and links to identify embedded attacks, combined with our advanced Phishing engines.

To learn more about our solution,

CLICK HERE

Want to know more?

Contact Us.



Link has been copied to your clipboard!