Beware: Fake Amazon PDF Phishing Campaign Targets Users
Just a SOC Analyst ^^
Researchers at Palo Alto Networks Unit42 are observing a surge in a new phishing tactic: using malicious PDF documents to deceive victims with notifications about Amazon Prime membership renewal.
Phishing Method
Email is the method attackers use to reach victims. An email is attached with a PDF file, and after clicking on the file, victims are redirected from the original URL to subdomains of duckdns[.]org, which host fake Amazon websites where they are asked to enter personal and credit card information.
Security researchers have collected 31 PDF files containing links to these phishing websites, none of which have been submitted to VirusTotal.
"These phishing websites use cloaking techniques to redirect scanners and other security solutions to non-malicious domains." This technique uses multiple URLs, but they all point to the same IP address – meaning all those phishing pages are hosted on the same server. This allows attackers to easily manage the phishing campaign from a single server while creating multiple malicious links to avoid immediate detection.
There are four initial links used in the campaign that users need to be wary of:
hxxps[:]//redirjhmxnasmdhuewfmkxchbnvjxfasdfasd.duckdns[.]org/XOZLaMh
hxxps[:]//redixajcdkashdufzxcsfgfasd.duckdns[.]org/CCq8SKn
hxxps[:]//zmehiasdhg7uw.redirectme[.]net/xn28lGa
hxxps[:]//rediahxjasdusgasdzxcsdefwgasdgasdasdzxdz.duckdns[.]org/agungggg1298w862847
List of IOCs Related to the Campaign
Hashes of 31 PDF Files
| Value | Type |
| 0d30813426132eb0e7058776f336be1ed788adb40429e1f14808c82cefb71cc0 | SHA256 |
| 0f6fb7fac3185c6993ab0a95021aa45b597a53face177233e110a94563e2d94b | SHA256 |
| 11d5a4be70b5370f70a2f9539f6a6e23f4393bc047147eda18992754b62993c4 | SHA256 |
| 22fab6e48be2beb9cf4837a840be6e0345e7d9027c4da5168d6120bd725833c8 | SHA256 |
| 2f123f63b17c65ebdcf9bb517bd25b2a13c319979368404d2688a69a7367a4d4 | SHA256 |
| 32e802617c978e2afa1052c565efb060bdbfff633988066587acd2a228a1e964 | SHA256 |
| 35a0cf22be7fb938b18f85292a00a6a576916065555b63d4bcb224b8a2e7d812 | SHA256 |
| 3b824f2a7d27bf4ab264064c5716dcedf8cfb83aa8ec7ce1670c94b43508904c | SHA256 |
| 42655606bf51695fc6b4d9afb597132626aa04497d256bd84aef406a8e8b061d | SHA256 |
| 4b5670c72b54b6e2b45ab143ca0fd8d75a28663a8141135e717b528beb4ac97f | SHA256 |
| 4edd8546455b3cfdfdc90b062c43da8ce253379dfe83ea8957234cad067966d7 | SHA256 |
| 4f90e88d593e9ba8e6e67e8e1cbb4c9cbb5c58f3e515d46835865414eaa8f0b3 | SHA256 |
| 53c9b76a227904618cdb97a33fbec3a503a444434418dd8d91372d800778e63d | SHA256 |
| 5a64f6c88d894e172ab3ed07938eafcf01ccfafea31d272dc06b0ebdc658f94d | SHA256 |
| 5d96918ca4adebbb3d594b36acf0f9198a952c50aa82047aafe854c957a82840 | SHA256 |
| 5e8a50781d4238a324cba432d081e881f1e2ea7b2a3ae5851373094cecf7b41b | SHA256 |
| 62cd345de8457a373bbc13a79436238eedba1f43e871418def1769f0f2502d0c | SHA256 |
| 64d1c6685ca0e2c8ca327e17cea16bbad3ae791cf03c6c2ea22d361f7b0d0338 | SHA256 |
| 76fb339b8014534f85f9fe64e3eec279fe26098b60d255ceaa0ee177587e8b9e | SHA256 |
| 78fcaf119b365d4171011dfdfa4ea4d5acd6c9656cd882418462ff6567cca00f | SHA256 |
| 858dc5420867b6824de8143456ff521461cec1330d7d48ff0ea07a02056f1a4a | SHA256 |
| 8d4fd20207ee690561f5282a26b2374dff036a579527e8b1244fc6f1766c3bb2 | SHA256 |
| 9add5bcfbd46b52744b6c02e829d815d3fdcd0a9221852c7254d892c4f5f984f | SHA256 |
| a1e3214afad9332327283c956990ae0e8ddf8084c5dd5d5fde605462ebd7e45d | SHA256 |
| a5f468421c9b3d66ed67c7accfb13ae19d6b1cee4050bdb505feea0d85161e9a | SHA256 |
| beeefae8f969bb3b749a505afd53ad2bad2eb301eab28466cf4a0ed6d9da81bc | SHA256 |
| cd0b45c96062c804ff3903065d68348494db6375679e369916fdcf0b3d17f262 | SHA256 |
| D00800e8fdfa6564bed0c5b0a76091a34753cf5c6d63c81441f8c8214afcb58e | SHA256 |
| e117c21bdcd5564b4a68b26d7148d2a073009b78485f42c4b5507723835663a0 | SHA256 |
| eafc7707cdbd1936f5312491dd6c6f0726f1c04ca2dd44421ba79e9d010cee2a | SHA256 |
| fa5aaf381d82aafca3ecabbece1cc2ff37401ec104e694b73e87bf02a9ef071a | SHA256 |
Links
| hxxps[:]//redirjhmxnasmdhuewfmkxchbnvjxfasdfasd.duckdns[.]org/XOZLaMh |
| hxxps[:]//redixajcdkashdufzxcsfgfasd.duckdns[.]org/CCq8SKn |
| hxxps[:]//zmehiasdhg7uw.redirectme[.]net/xn28lGa |
| hxxps[:]//rediahxjasdusgasdzxcsdefwgasdgasdasdzxdz.duckdns[.]org/agungggg1298w862847 |
Recommendations
FPT Threat Intelligence recommends organizations and individuals take several measures to prevent this campaign:
Educate and Raise User Awareness: Increase awareness of threats, especially phishing emails.
Carefully Check Sender Email Addresses: Ensure the sender's email address is from a trusted source.
Use Email Security Solutions: Deploy specialized email security services for comprehensive protection.
Do Not Click on Links in Unfamiliar Emails: Avoid clicking on links or downloading attachments from unknown emails.
