{"id":18514,"date":"2021-07-06T17:35:37","date_gmt":"2021-07-06T13:35:37","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/adobe-online-imitation\/18514\/"},"modified":"2021-07-06T17:36:00","modified_gmt":"2021-07-06T13:36:00","slug":"adobe-online-imitation","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/adobe-online-imitation\/18514\/","title":{"rendered":"Online PDFs for corporate e-mail phishing"},"content":{"rendered":"

The latest in phishers\u2019 battle for corporate e-mail credentials involves notifications allegedly from Adobe online services. And because they\u2019ve begun using an online PDF file (supposedly stored on Adobe\u2019s website), we created a real file to highlight the signs of a fishy e-mail and a fake \u201conline PDF.\u201d<\/p>\n

Adobe PDF Online phishing message<\/h2>\n

In the phishing messages, the first thing that stands out is the description of the file \u2014 shared with you through \u201csecure Adobe PDF online.\u201d Right away, ask yourself, does the service actually exist? It sounds plausible, and a quick Google search will tell you Adobe does indeed have a service for storing PDF files online, and that service does enable users to share encrypted files. But you won\u2019t find the name \u201cAdobe PDF online\u201d anywhere on a real Adobe website. It\u2019s either \u201cAdobe Acrobat online\u201d or \u201cAdobe Document Cloud.\u201d Curious, I asked a colleague to send a file to me so I could compare the notifications.<\/p>\n

\"The<\/a>

The real message is on the right<\/p><\/div>\n

Let\u2019s assume you don\u2019t know what a real file-sharing e-mail from Adobe looks like. Here are some signs. Not one of the following is a guarantee of fraud, and there are exceptions to every rule, but each should raise your suspicions and prompt you to pay close attention and investigate further:<\/p>\n

    \n
  1. The sender. If an e-mail is from an online service, that should be obvious from the sender\u2019s name and address. Conversely, if the sender is a specific person, a message from them won\u2019t look like a notification from a service;<\/li>\n
  2. The subject line. If you\u2019re writing to someone called Leo, would you write something like \u201cleonides@gmail.com received a PDF file\u201d as the subject?<\/li>\n
  3. The name of the service. You don\u2019t have to remember the name of every single online service, but if you\u2019re not totally sure, use a search engine to check it;<\/li>\n
  4. Hyperlink\/icon. Before clicking on a Download or Open icon, hover your cursor over them to inspect the hyperlink and make sure it goes where it should;<\/li>\n
  5. E-mail footer. An e-mail from Adobe is highly unlikely to end with an assurance that Microsoft respects your privacy;<\/li>\n
  6. The words \u201cplease read our Privacy Statement\u201d without a hyperlink.<\/li>\n<\/ol>\n

    Not Adobe Document Cloud\u2019s website<\/h2>\n

    At the moment, we can still depend on phishers to make stupid mistakes, but nothing is stopping them from doing a good job. Suppose the e-mail looks great. Now it\u2019s time to check out the website, which in this case looks like an authentication window obscuring the blurred interface of Adobe Acrobat Reader DC. That\u2019s actually plausible, although only if the person who received the e-mail doesn\u2019t know what the real website for Adobe\u2019s online services and its password request window look like.<\/p>\n

    \"Password<\/a>

    Password request on phishing website (top) and on Adobe\u2019s real website<\/p><\/div>\n

    Here, the warning signs vary somewhat. Start with the blurred background: fairly unprofessional protection for confidential data; some of the text is easy to decipher with the naked eye.<\/p>\n

      \n
    1. The URL. The website for an Adobe service should have an Adobe domain in its address;<\/li>\n
    2. Despite the blurring, you can still make out the filename: EMInvoice_R6817-2.pdf. That doesn\u2019t match the authentication window, which says the file available for download is called \u201cWire Transfer Receipt.pdf\u201d;<\/li>\n
    3. Mixed-up terms. The blurred document has \u201cInvoice\u201d written on it (as in, request for payment), but the filename says \u201creceipt,\u201d (confirming payment already received);<\/li>\n
    4. Program versions. The name \u201cAdobe Acrobat Reader DC\u201d is apparent in the blurred background, whereas the program named in the authentication window is Adobe Reader XI. Someone who rarely uses PDFs might not know XI is an older version of the software, but the discrepancy should stand out regardless;<\/li>\n
    5. AdobeDoc Security. You might not keep track of the names Adobe uses for its technologies, but there\u2019s a registered trademark symbol next to \u201cAdobeDoc,\u201d and that\u2019s worth checking;<\/li>\n
    6. Request for an e-mail password. A legitimate Adobe service does not need your e-mail password, period.<\/li>\n<\/ol>\n

      How to protect corporate e-mail from phishers<\/h2>\n

      To keep company employees safe from phishing:<\/p>\n