Scam Of The Week: Locked PDF Phishing Attack

ios_mail_phishing.jpgWednesday Jan 4th, the SANS Internet Storm Center warned about an active phishing campaign that has malicious PDF attachments in a new scam to steal email credentials.

The SANS bulletin said that the email has the subject line “Assessment document” and the body contains a single PDF attachment that claims to be locked. A message reads: “PDF Secure File UNLOCK to Access File Content.”

John Bambenek, handler at SANS Internet Storm Center said: “This is an untargeted phishing campaign. They are not going after the most sophisticated users. They are going after Joe Cubicle that may not think twice about entering credentials to unlock a PDF,”

This is a large spray-and-pray campaign that hopes to get a small foothold into your org via an email account and then compromise, tunnel in or send spear-phishing attacks. Here is how it looks:


The email claims it’s from VetMeds and the PDF is identified as a VetMeds assessment. Once opened, the contents of the one-page PDF indicates that the document is a SWIFT (Society for Worldwide Interbank Financial Telecommunication) banking transaction.

“It doesn’t matter what email address or password you input into the fake unlocking mechanism. The document is opened and anything you input is transmitted to the spammer,” Bambenek said.

pdf_phishing_adobe_warning.pngWorkstations that use the Adobe PDF reader are cautioned via a security warning dialogue box before opening. The Adobe message reads: “The document is trying to connect to… If you trust the site, choose Allow. If you do not trust the site, choose Block.”

However, Bambenek points out that Windows 10 by default uses the Edge browser, and when Edge opens the VetMeds PDF, unlike with Adobe, no warning message is presented to the user.

SANS says they do not know exactly how big the campaign is, but over the past few days, SANS has been forwarded a number of these phishing emails from across America.

“Be wary of emails from domains that don’t match the contents, note that encrypted PDF documents are not locked this way (and will never ask you for your actual email password anyway), and look for other inconsistencies that give these away as scams,” he advises.

I suggest you send the following Scam Of The Week to your employees, friends and family. Feel free to copy/paste/edit.

"There is a phishing attack going on you need to know about. The campaign sends and email with the subject: "Assessment document" and the body of the email has a PDF attachment in it that claims that it is locked.

The message reads:  "PDF Secure File UNLOCK to Access File Content". If you click to unlock the document, a dialog box comes up that asks you to put in your email address and password.

If an email like that makes it into your inbox, do not click on anything, and definitely do not enter your email address and password. Follow the organization's procedure and if you are at the house, delete the email.

Remember, Think Before You Click!

We will let you know more when there is additional data. But start sending out this warning asap. You need to stay alert and keep your "human firewall" on their toes with security top of mind.

if you are not a KnowBe4 customer yet, at times like this, it is very good to know what percentage of your users are vulnerable to social engineering attacks. We recommend you do your free Phishing Security Test and find out what the phish-prone percentage of your users is. 

Get My Free Phishing Security Test Now!

PS, if you do not like to click on buttons with redirects, here is a URL you can cut/paste:

Let's stay safe out there.

Warm regards,

Stu Sjouwerman

Founder and CEO, KnowBe4, Inc.



Subscribe to Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews