A recent investigation has uncovered a sophisticated phishing campaign leveraging malicious PDF files to redirect unsuspecting users to fake Amazon-branded phishing websites.
Researchers from Unit 42 reported that this campaign utilizes PDFs containing embedded links as an initial lure to compromise users and steal sensitive information such as login credentials and credit card details.
Attack Chain Overview
The phishing operation begins with a targeted email containing a PDF attachment to victims.
Upon opening the document, users encounter a clickable link leading to an “Initial URL.”
This URL subsequently redirects users to subdomains hosted on duckdns[.]org, which serve as an entry point to the phishing infrastructure.
Are you from SOC/DFIR Teams? - Analyse Malware Files & Links with ANY.RUN Sandox -> Try for Free
The malicious websites are designed to impersonate Amazon’s login and payment pages.
What sets this campaign apart is the use of cloaking techniques. When systems like anti-virus software or sandboxes attempt to analyze these URLs, the phishing domains redirect them to benign pages, thereby evading detection.
The PDF samples analyzed during the investigation had not been submitted to VirusTotal, further emphasizing their novel and targeted nature.
Additionally, most of the URLs, including intermediate links, are hosted on the same IP address, indicating a coordinated operation.
Technical Details
During the analysis, researchers identified 31 unique PDF files associated with this campaign.
Each file contained links to deceptive domains, including subdomains such as redirjhmxnasmdhuewfmkxchbnvjxfasdfasd.duckdns[.]org.
Once users clicked on these links, they were redirected through a chain of URLs before landing on a phishing site.
The URLs mimicked legitimate Amazon branding and included detailed steps to capture login, security, and billing information.
Notably, the phishing domains used a phishing kit suspected to be either newly developed or a modified version of an existing one.
One particular SHA256 hash corresponding to the kit was identified: d49e6ae0d4887490c18ef9a2d2a1b658e3164a08a2d22a1fb535bd237b594f20.
This kit enabled the attackers to construct convincing Amazon-like login pages and process user input such as passwords and payment credentials.
An example sequence of the phishing flow includes links such as:
- hxxps[:]//redixajcdkashdufzxcsfgfasd.duckdns[.]org/CCq8SKn
- hxxps[:]//ahyewifjksdhfjhjgsdfhjdsasdzxcs.duckdns[.]org/security-check/signin/process
- hxxps[:]//ahyewifjksdhfjhjgsdfhjdsasdzxcs.duckdns[.]org/security-check/payment/
Each step progressively mimics legitimate Amazon processes, leading victims to confidently provide sensitive information.
This campaign serves as a stark reminder of the evolving tactics adopted by cybercriminals. With the use of decoy PDF documents and obfuscation techniques, such as cloaking, attackers are becoming more difficult to detect.
Organizations are advised to enhance email filtering mechanisms, educate users about identifying malicious attachments, and frequently update blacklists for domains such as duckdns[.]org.
Meanwhile, researchers continue to monitor the infrastructure for further developments, urging users to remain vigilant.
Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar
