The PDF that phishes you

Phishing attacks often rely on social engineering tactics to trick a person into clicking a link. This can lead to a credential-stealing page or a malicious application download. 

One such attack vector emerging in Germany that might be overlooked is credential theft via JavaScript-enabled documents. 

This attack technique doesn’t rely on malicious links or domain spoofing, but on document scripts that yield the same effect, as highlighted by Reversing Labs.

Adobe and Javascript

Based on JavaScript version 1.5 of ISO-16262 (formerly known as ECMAScript), JavaScript in Adobe Acrobat software implements objects, methods, and properties that enable you to, for example, produce database-driven PDF files or modify their appearance. 

You can tie Acrobat JavaScript code to a specific PDF document, a page, field, or button within that document, or a field or button within the PDF file, and even to a user action.

In this instance, this extensibility is allowing malicious actors to create login pages purporting to be connected with the underlying email source, in this case Amazon.


How it works

It’s quite normal for an organisation to require an invoice from Amazon following a purchase.  These can take different forms depending on the actual supplier using Amazon’s platform. 

It’s, therefore, easy to see how an attacker might leverage these inconsistencies to trick their potential victims.


Translated from German

The phishing email informs the recipient they must open the attached PDF which, in turn, displays a Javascript created login page requesting their Amazon credentials. 

Once these details have been entered, the Javascript sends this in plain-text to a long URL located at the, which is obviously not the legitimate

Alarm Bells

For phishing scams we would normally advise to examine the URL of any landing pages to make sure they look legitimate. We also advise you to only login to sites at their official domains, rather than through one linked by an attachment.

In this case, the login prompt is being generated by he PDF so no URLs are being displayed, and you were told that this would happen.

This is why, in addition to checking the landing page URLs, you always need to check the sender to make sure they match up with a legitimate domain, and one that corresponds with the email you received.


Preventative Measures

You should always enable two factor authentication on your Amazon account (and elsewhere) which largely mitigates the value of any stolen credentials. 

It’s also imperative you provide ongoing phishing attack simulation and security awareness training to ensure your users are trained at spotting phishing attacks, this one included.

Recent posts