Earlier this year, I posted an example of a ridiculously contrived attempt to propagate malware. For as amateurish as that one was, this one is the exact opposite: a very clever and convincing ruse. The message purports to be courtesy of an Adobe “Risk Management” official, referencing a known Acrobat exploit, and urging the application of a patch.  What made it quasi-legit was not the fact that it came from Adobe, but that it came as a simulated mail thread from company VP to company VP, ultimately addressing an end-user by name and directing her to take action. I am not a malware expert and did not deconstruct the PDF or EXE to know if or what was infected, but it all seemed suspicious enough to me…

Things to note:

  1. The quoted exchange from employee to employee is actually part of the deception. This was not an internal mail thread, but a canned dialog meant to fool the victim. There was some element of social engineering in effect, because the names/titles are real, their organizational relationship is plausible, and the communication is clear and authoritative. Such a targeted phishing attack is called “spear phishing”. The only thing that made the potential victim suspect anything is that one of the “employees” in the dialog has actually not been around for several months.
  2. The “employees” don’t provide the links in their part of the dialog, instead referencing the URLs within the official looking alert. It’s a good strategy not to make “click here” so obvious. If people have to hunt, finding it embedded in something official, they are more likely to believe it.
  3. The alert makes clear and unabashed reference to the very Acrobat exploit that they are likely trying to engage. “Fool them with the truth.”
  4. The link to the malware “instructions” – which may be a delivery mechanism for the very thing that would trigger the exploit – looks like Adobe origin at first glance, but is in fact on a Tongan web site. Same for the supposed EXE patch, which may be the actual payload.
  5. The PDF instructions look very officially Adobe’ish. [I opened it on my iPhone to avoid exposing my PC to the risk.] This may actually be an edited version of the original Adobe document, but the URLs are again very clearly directing the victim to the Tongan web site.
  6. The Adobe contact information in the email is correct, even if the specific “Risk Management” employee is not.