PDF Phishing campaign uses Google Docs to steal victim's Email credentials
SonicWall Capture Labs Threats Research team has discovered an ongoing phishing campaign which abuses genuine web-based software office suite platform like google docs. Upon opening the PDF file, a blurred image with instructions on how to view the document is displayed to the user:
If the instructions as mentioned in the PDF file are followed, an HTML file is downloaded without user intervention from Google Docs URL as shown below:
When the downloaded HTML file is opened, the user is shown a genuine looking webpage with options to select email providers like Yahoo, Google, Outlook, Office etc to view the document:
Depending upon the email provider chosen by the user, one of the following form would be displayed:
Upon entering the user credentials and clicking the sign-in button the user is displayed a clean PDF file downloaded from remote server to appear legitimate:
However in the background the malware author steals user credentials when the sign-in button is clicked and sends them to remote web server “hxxps://webpersonaltrainer[.]top” as shown below:
These PDF files are not detected by any vendor when checked on top threat intelligence sharing portals like virus total:
SonicWall Capture Labs provides protection against this threat via the following signature:
- GAV: Downloader.FR (Trojan)
- GAV: Downloader.PD_18 (Trojan)
