As a security practitioner, I receive perhaps more than my fair share of nefarious email. With “Black Friday” and the impending consumer rush I’ve seen an uptick in the behavior. YOU WILL LIKELY SEE A SUBSTANTIAL INCREASE BETWEEN NOW AND JANUARY 5, 2024.
Here we have a pair of fairly classic “scam” emails. Both include an Adobe .PDF attachment. The first has a very brief “thank you for your purchase” message with a random hash. The second is glowing and makes use of the word “VIP” to make me feel special – a delightful day at the beach indeed.
They’ve piqued my interest. At face value I’ve absolutely know way of knowing what kind of attack might be embedded in the .PDF attachments, and I’m paranoid by default. I open them in a disposable sandbox virtual machine where I can safely save them to my local filesystem and submit them to Virus Total.
Satisfied that they don’t contain dangerous code, we can now take a look.
What you wind up with here is completely devoid of a digital attack beyond having delivered information to you about a hefty sum of money being expended. The true target in both cases is YOU, the reader. More than anything, they hope you’ll pick up that telephone and give them a ring to get your money back. And why not? It’s your money for starters, and you just might need it for your Black Friday shopping. Oh my gosh, they’re going to RUIN our holiday! FIX IT!
Once they’ve got you on the phone, they’ll attempt all manner of social engineering to convince you to allow them to perform a remote screen share session to facilitate the refund.
There is, frankly, little I can add to the outstanding work that Jim Browning does on his YouTube channel. For the deepest understanding of the methods involved in this sort of attach, I highly recommend watching a few of his excellent videos.