{"id":7106,"date":"2025-01-28T15:32:44","date_gmt":"2025-01-28T21:32:44","guid":{"rendered":"https:\/\/www.darkreading.com\/cyberattacks-data-breaches\/phishing-campaign-malicious-amazon-pdfs"},"modified":"2025-01-28T15:32:44","modified_gmt":"2025-01-28T21:32:44","slug":"phishing-campaign-baits-hook-with-malicious-amazon-pdfs","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2025\/01\/28\/phishing-campaign-baits-hook-with-malicious-amazon-pdfs\/","title":{"rendered":"Phishing Campaign Baits Hook With Malicious Amazon PDFs"},"content":{"rendered":"
<\/a><\/div>\n
<\/div>\n

NEWS BRIEF<\/span><\/span><\/p>\n

Researchers are highlighting the rise of a new phishing tactic: a campaign that uses PDF documents to trick victims by announcing expired <\/span>Amazon Prime memberships<\/a><\/span>.<\/span><\/p>\n

Users are targeted by email and, after clicking on the PDFs, are taken to pages that impersonate Amazon, where they are urged to input their personal details and credit card information.<\/span><\/p>\n

The researchers<\/a><\/span> at Palo Alto Networks Unit42 who discovered the campaign have collected 31 PDF files with links to these phishing sites, none of which had been submitted to VirusTotal.<\/span><\/p>\n

The chain of events in the phishing attack begins with the email containing the PDF attachment. Once clicking on the link from the PDF, the victim is redirected from the initial URL to subdomains of duckdns[.]org that host the phishing website.<\/span><\/p>\n

“These phishing websites use cloaking to redirect scans and other analysis attempts to benign domains,” <\/span>wrote the researchers<\/a><\/span>. These domains for most of the initial and intermediate staging URLs are hosted on the same IP address.<\/span><\/p>\n

There are four initial links used in the campaign that potential victims should be wary of:<\/span><\/p>\n

\n