Phishing with PDF's and Why it Works

Wednesday, May 02, 2012

f8lerror

71d85bb5d111973cb65dfee3d2a7e6c9

During many penetration tests the need to social engineer a target may be required.

You could send targets all kinds of payloads or malicious things but sometimes that gets picked up by anti-virus. Also, sometimes getting ‘shell’ may not be in the rules of engagement.

Let’s talk about something that completely relies on the user being conned into following the attackers instructions. The scenario is simple send the user a PDF form and have them submit the form. The attack can be broken down into three main steps.

   1. Create the form
   2. Spoof an email
   3. Wait for the results

There are many ways to make this form, this is just how I did it.

First create a form and make it believable (click image to enlarge):

Form

Next import it into Acrobat and select create PDF form.

Acrobat will do some magic and on the right hand side click add new field -> OK button. A blue box will show up and place it anywhere you want. This is your submit button.

Click properties and on the options tab set the label to submit. Finally under the actions tab select the trigger to be mouse down. Select the action of Submit a form and click add and fill out the appropriate information.  ***If you are doing this over an insecure network use HTTPS please***

(click image to enlarge)

form2

Save the document and then get ready to send it. In this example I would spoof it from an human resources person. Also if you don’t know how to spoof an email you shouldn’t even be reading this.

Finally, we fire up our listener this could be just netcat or write your own listener.

Why will this attack be successful?

  • The victim will be more relaxed due to the spoofed email.
  • If the email is worded carefully using words like ‘we’, ‘help’ and ‘required’ these types of words cause psychological effects on people making them more apt to follow instructions.
  • No Anti-Virus will be triggered, which relaxes the user more.
  • The words in the document “Please, use the submit button to ensure secure delivery of your information.” Enforce the “trustworthiness’ of the message.
  • When a link is clicked in Adobe reader it always asks if the user wants to allow the connection. This inherently trains users to click allow without reading.
  • It’s easy. Let’s face it users are lazy.

Here is the result of a successful test attack (click image to enlarge):


incoming

How could the user have protected themselves?

  •  Anytime a document requests sensitive information verify the source or sender.
  • If the requested action seems out of the ordinary verify the source or sender.
  • When the submit button is hit a warning pops up like the image below, verify the address the document is going to.
  • Read before you click!

(click image to enlarge)


Read before you click

Good Luck!

Possibly Related Articles:
14799
Phishing
Information Security
Phishing Social Engineering Security Awareness Penetration Testing Attacks Trust PDF Spoofing Psychology
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.