A recent investigation has uncovered a sophisticated phishing campaign leveraging malicious PDF files to redirect unsuspecting users to fake Amazon-branded phishing websites.
Researchers from Unit 42 reported that this campaign utilizes PDFs containing embedded links as an initial lure to compromise users and steal sensitive information such as login credentials and credit card details.
The phishing operation begins with a targeted email containing a PDF attachment to victims.
Upon opening the document, users encounter a clickable link leading to an “Initial URL.”
This URL subsequently redirects users to subdomains hosted on duckdns[.]org, which serve as an entry point to the phishing infrastructure.
Are you from SOC/DFIR Teams? - Analyse Malware Files & Links with ANY.RUN Sandox -> Try for Free
The malicious websites are designed to impersonate Amazon’s login and payment pages.
What sets this campaign apart is the use of cloaking techniques. When systems like anti-virus software or sandboxes attempt to analyze these URLs, the phishing domains redirect them to benign pages, thereby evading detection.
The PDF samples analyzed during the investigation had not been submitted to VirusTotal, further emphasizing their novel and targeted nature.
Additionally, most of the URLs, including intermediate links, are hosted on the same IP address, indicating a coordinated operation.
During the analysis, researchers identified 31 unique PDF files associated with this campaign.
Each file contained links to deceptive domains, including subdomains such as redirjhmxnasmdhuewfmkxchbnvjxfasdfasd.duckdns[.]org.
Once users clicked on these links, they were redirected through a chain of URLs before landing on a phishing site.
The URLs mimicked legitimate Amazon branding and included detailed steps to capture login, security, and billing information.
Notably, the phishing domains used a phishing kit suspected to be either newly developed or a modified version of an existing one.
One particular SHA256 hash corresponding to the kit was identified: d49e6ae0d4887490c18ef9a2d2a1b658e3164a08a2d22a1fb535bd237b594f20.
This kit enabled the attackers to construct convincing Amazon-like login pages and process user input such as passwords and payment credentials.
An example sequence of the phishing flow includes links such as:
Each step progressively mimics legitimate Amazon processes, leading victims to confidently provide sensitive information.
This campaign serves as a stark reminder of the evolving tactics adopted by cybercriminals. With the use of decoy PDF documents and obfuscation techniques, such as cloaking, attackers are becoming more difficult to detect.
Organizations are advised to enhance email filtering mechanisms, educate users about identifying malicious attachments, and frequently update blacklists for domains such as duckdns[.]org.
Meanwhile, researchers continue to monitor the infrastructure for further developments, urging users to remain vigilant.
Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar
Cybersecurity researchers have uncovered a surge in the use of Advanced Encryption Standard (AES) encryption…
Kaspersky's latest report on mobile malware evolution in 2024 reveals a significant increase in cyber…
In a concerning trend, the frequency of scanning attacks targeting Internet of Things (IoT) devices…
Google is rolling out a new privacy-focused feature called Shielded Email, designed to prevent apps and…
Cybersecurity experts are warning of an increasing trend in fileless attacks, where hackers leverage PowerShell…
Unit 42 researchers have observed a threat actor group known as JavaGhost exploiting misconfigurations in…