Online PDFs for corporate e-mail phishing

Attackers claiming to represent Adobe online services are sending fake notifications to obtain corporate e-mail credentials.

The latest in phishers’ battle for corporate e-mail credentials involves notifications allegedly from Adobe online services. And because they’ve begun using an online PDF file (supposedly stored on Adobe’s website), we created a real file to highlight the signs of a fishy e-mail and a fake “online PDF.”

Adobe PDF Online phishing message

In the phishing messages, the first thing that stands out is the description of the file — shared with you through “secure Adobe PDF online.” Right away, ask yourself, does the service actually exist? It sounds plausible, and a quick Google search will tell you Adobe does indeed have a service for storing PDF files online, and that service does enable users to share encrypted files. But you won’t find the name “Adobe PDF online” anywhere on a real Adobe website. It’s either “Adobe Acrobat online” or “Adobe Document Cloud.” Curious, I asked a colleague to send a file to me so I could compare the notifications.

The real message is on the right

The real message is on the right

Let’s assume you don’t know what a real file-sharing e-mail from Adobe looks like. Here are some signs. Not one of the following is a guarantee of fraud, and there are exceptions to every rule, but each should raise your suspicions and prompt you to pay close attention and investigate further:

  1. The sender. If an e-mail is from an online service, that should be obvious from the sender’s name and address. Conversely, if the sender is a specific person, a message from them won’t look like a notification from a service;
  2. The subject line. If you’re writing to someone called Leo, would you write something like “ received a PDF file” as the subject?
  3. The name of the service. You don’t have to remember the name of every single online service, but if you’re not totally sure, use a search engine to check it;
  4. Hyperlink/icon. Before clicking on a Download or Open icon, hover your cursor over them to inspect the hyperlink and make sure it goes where it should;
  5. E-mail footer. An e-mail from Adobe is highly unlikely to end with an assurance that Microsoft respects your privacy;
  6. The words “please read our Privacy Statement” without a hyperlink.

Not Adobe Document Cloud’s website

At the moment, we can still depend on phishers to make stupid mistakes, but nothing is stopping them from doing a good job. Suppose the e-mail looks great. Now it’s time to check out the website, which in this case looks like an authentication window obscuring the blurred interface of Adobe Acrobat Reader DC. That’s actually plausible, although only if the person who received the e-mail doesn’t know what the real website for Adobe’s online services and its password request window look like.

Password request on phishing website (top) and on Adobe's real website

Password request on phishing website (top) and on Adobe’s real website

Here, the warning signs vary somewhat. Start with the blurred background: fairly unprofessional protection for confidential data; some of the text is easy to decipher with the naked eye.

  1. The URL. The website for an Adobe service should have an Adobe domain in its address;
  2. Despite the blurring, you can still make out the filename: EMInvoice_R6817-2.pdf. That doesn’t match the authentication window, which says the file available for download is called “Wire Transfer Receipt.pdf”;
  3. Mixed-up terms. The blurred document has “Invoice” written on it (as in, request for payment), but the filename says “receipt,” (confirming payment already received);
  4. Program versions. The name “Adobe Acrobat Reader DC” is apparent in the blurred background, whereas the program named in the authentication window is Adobe Reader XI. Someone who rarely uses PDFs might not know XI is an older version of the software, but the discrepancy should stand out regardless;
  5. AdobeDoc Security. You might not keep track of the names Adobe uses for its technologies, but there’s a registered trademark symbol next to “AdobeDoc,” and that’s worth checking;
  6. Request for an e-mail password. A legitimate Adobe service does not need your e-mail password, period.

How to protect corporate e-mail from phishers

To keep company employees safe from phishing: