Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC: Malicious PDF sent in massive scam to Colombian users claiming to be from Credit score agency - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Malicious PDF sent in massive scam to Colombian users claiming to be from Credit score agency

We got reports for a massive scam sent to colombian users claiming to be from one of the two credit score agencies in Colombia. The agency is called Datacredito, affiliated to experian. The following e-mail was received:

email received

This e-mail poses as an alert for a false negative report to the credit agency. It comes with an attached PDF with the following information:

The file does not show malicious payload when scanned by antimalware software. However, this file has a PDF structure. Ater using PDFStreamDumper for reviewing, the following interesting information appeared:

PDF Stream Dumper

This PDF has malicious scripting, which instructs the reader to download and execute the URL shown in the previous URL. After downloading the file shown in that URL, which is live at this time, a keylogger is downloaded.

Malicious PDFs are still a problem. If you want to avoid falling into one of this scams, please remember the following:

  • Have the last version of acrobat reader installed in your computer
  • Do not open attachments from unknown sources
  • Do not enable scripting in your acrobat reader configuration. Keep it turned off.

Manuel Humberto Santander Peláez
SANS Internet Storm Center - Handler
Twitter:@manuelsantander
Web:http://manuel.santander.name
e-mail: msantand at isc dot sans dot org

Manuel Humberto Santander Pelaacuteez

185 Posts
ISC Handler
I got someone that tried to bite me with something similar to this 2-3 weeks ago. They were posting on the local freecycle list (a mailing list for 'I don't need this does anyone want it for free') with a few things that were nice sounding items. Querying for any information got you sent a link to 'pictures of the object'.

I distinctly recall the website attempting to install 'Adobe_Flash_Player_Updater_2014.exe' to view the pictures.

I also tried to see if I could figure out which piece of malware this was but my AV wouldn't let me get it downloaded at home and I wasn't going to turn the AV off, and by the time I got to work where I have a walled garden machine to play with the site had the webhost banner 'we killed this site due to malicious activity' page and that was it.
Anonymous

Sign Up for Free or Log In to start participating in the conversation!