Sign in

Phishing campaign uses PDF attachments

By: Lisa Marlin

January 9, 2017

Starting off new year is a warning from the SANS Internet Storm Center about an active phishing campaign that utilizes PDF attachments to harvest email credentials from victims. The email says it’s from VetMeds and the PDF is identified as a VetMeds assessment. The email has the subject line “Assessment document” and the body contains a single PDF attachment that claims to be locked. A message reads: “PDF Secure File UNLOCK to Access File Content.”

Stop! Do not click that link!

A warning bell should go off in the head of the email recipient. Unfortunately, that doesn’t always happen. The link gets clicked, the document unlocks, and the PDF document opens using the computer’s default viewer. A dialogue box then appears above the PDF prompting the user to input their email address and password.

“This is an untargeted phishing campaign,” said John Bambenek, handler at SANS Internet Storm Center. “They are not going after the most sophisticated users. They are going after Joe Cubicle that may not think twice about entering credentials to unlock a PDF.” He says that it doesn’t matter what email address or password you input into the fake unlocking mechanism, the document is opened and anything you input is transmitted to the spammer.

As of this posting, the size and scope of the phishing campaign is unclear. What is clear is that you should be on the lookout for this latest scam.

Phishing tests prove valuable

PrivaPlan offers phishing testing for our customers to test, educate and retest their user’s susceptibility to phishing scams. These tests have been helpful in showing the risk that phishing poses to a covered entity.  

“Security officers with good training programs have been shocked to discover the numbers of their people who will click a link or even give away their username and password to an untrustworthy source,” said Michaela Kahn, social engineering specialist at PrivaPlan. “There is a large range of results, but on average we find our initial test results in a score of approximately 20% ‘Phish Prone’ and we see that score, on average, fall 10 percentage points with the second round of testing,” she said.

PrivaPlan recommends that all covered entities test their users for phishing awareness and setup proper recurring training for their users. “Phishing testing goes beyond regular training practices to give both real numbers and an experiential approach to training,” Michaela said. “You can bet that the person who entered password data and then gets a notice that they’ve been phished is going to carry a new level of awareness with them going forward.”

To find out how the HIPAA experts at PrivaPlan can assist you with phishing testing, and the many other services we provide, contact us at info@privaplan.com or call 877-218-7707.