14 DAY TRIAL // A rather new phishing technique seems to be preferred by some hackers nowadays - the deceitful PDF attachments that attempt to steal your email credentials.
In a Microsoft blog, the folks over at the malware prevention team point out that the heightened phishing activity that usually takes place during the holiday season did not go down this winter. This time, however, with the new spam campaign featuring PDFs, there was a little less malware or exploit code.
Instead of these more “traditional” techniques, hackers now rely on social engineering to lead victims to phishing pages where they are asked to divulge sensitive information. It is unknown just how many people have fallen victim to such attacks, but Microsoft wants everyone to be aware of how they could be affected.
To that extent, there are several examples of how you might fall victim to a phishing scam without even knowing.
What to watch out for
One method identified by Microsoft is when these PDF attachments are sent they are made to look as if they come from a legitimate company. In this case, the PDF is a quotation for a product or a service, for instance. Therefore, you should pay extra attention when receiving such emails, because even if they look real, they might be spoofed, so do check the address they're coming from. When opened, the mail displays a message that you’ll need to open with Excel, but instead sends you to a new page where you will have to input your credentials to get access to it.
Of course, this is all a ruse, and it shows why it is important to have the latest browser versions installed. Firefox and Chrome, for instance, have both started flagging down unsecured connections where your information is required. Microsoft Edge will also block the page. While phishing pages with HTTPS have been seen lately thanks to various online services, you’re still a bit safer if you run the latest updates of whatever browser it is you’re using.
Other methods noticed by Microsoft involve receiving the PDF attachments via a veiled Dropbox link or as a request to enter your email address to be able to download the file. These are all suspicious behavior patterns and should be avoided.
“As we saw from these examples, social engineering attacks are designed to take advantage of possible lapses in decision-making. Awareness is key; that is why we’re making these cybercriminal tactics known,” the Microsoft blog reads.