Threat Actors Seek Your Credentials Before You Even Reach the URL

Cofense Intelligence™ has observed a phishing technique that takes a unique approach to illicitly obtain a target’s sensitive information. In a recent campaign, threat actors harvested victims’ credentials through a PDF window prompt rather than via a webpage—the more traditional credential phishing technique.

Cofense Intelligence obtained a phishing email that allegedly informs the recipient of an Amazon.de bill of sale. The German language email lure claims to deliver a tax invoice and requests the recipient to view the attached PDF. The PDF, also presented in German, specifies that the document cannot be opened in a browser and must be opened in Adobe Reader or Adobe Acrobat. When the PDF is opened in either Adobe Reader or Acrobat, the victim will be prompted through the PDF to enter their Amazon.de email address and password (Figure 1).

Figure 1:  The German-language PDF prompts the victim to enter their Amazon credentials (Note: The credentials entered in the screenshot are false and are used as an example.)

Once the credentials are accepted, the victim receives another pop-up window warning the victim that the PDF is attempting to open a webpage to panelessolaresparaguay[.]com (Figure 2).

Figure 2: The victim is required to click “Allow” in order to proceed to the next step

After clicking “Allow,” the PDF opens a browser window and directs the victim to a German Amazon phishing page, whose URL contains the email address entered in the PDF prompt in the path of the URL:

hxxp://sellercentral.amazon.de[.]347ty49h89ehg8ui7yt348[.]panelessolaresparaguay[.]com/step1[.]php?account=example@example(.)com

Figure 3 displays the first step in the German Amazon phishing page which has a loading image and a countdown informing the victim that a verification code has been sent to the recipient, yet Figure 3 does not specify the method by which the recipient will receive the code.

Figure 3: The PDF directs the victim to a German Amazon phishing page

When the page finishes loading, the victim is required to enter a code that was supposedly sent to the victim’s phone number, possibly in an attempt overcome Two Factor Authentication (2FA) (Figure 4). However, the phish never once prompts the victim to enter a phone number in this scam. The victim also has the option of clicking on what appears to be a link that would supposedly provide information on retrieving the code labeled “Haben Sie den Code nicht erhalten?” (English translation: “Did not you receive the code?”). Instead, the link does not direct the victim to another page and the victim is forced to enter any string of characters to proceed to the next step. Thus, it is more likely this is done not to overcome 2FA but to distract intended victims and leave them none-the-wiser that they exposed their credentials.

The following URL directs the victim to step 2:

hxxp://sellercentral.amazon.de[.]347ty49h89ehg8ui7yt348[.]panelessolaresparaguay[.]com/step2[.]php

Figure 4: The field will accept any information entered to proceed to the next page

After the victim enters a “code” and clicks the button to proceed to the next step, the page redirects the victim to the genuine Amazon Seller Central’s European website on Amazon.de, indicating the phishing scam is completed.

This credential phishing scam underscores a unique method of stealing login credentials before the victim is required to interact with a browser window. This is unusual given that most scams harvest credentials via a phishing webpage. In analyzing this campaign, Cofense Intelligence found that opening the PDF in non-Adobe applications will not display the login prompt and, because the PDF states the document cannot be opened in a browser, victims cannot interact with the PDF in Adobe PDF Online, an application used to edit PDFs in a browser.

The tactics, techniques, and procedures observed in this credential phishing scam highlight a unique method in which threat actors now steal their victims’ credentials. Credential phishing scams like the one above pose a serious risk to individuals and organizations and emphasize the importance of phishing awareness and education. Learn how Cofense PhishMeTM empowers users to recognize and report suspicious messages and avoid falling victim to costly phishing scams.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

“Brazilian Election” Themed Phish Target Users with South American-Targeted Malware, Astaroth Trojan
Where Do Security Awareness Programs Belong on the Org Chart?

Leave a Reply