torsdag 5 mars 2015

Sending invoices in PDF-format?

Do you send invoices or other financial information in PDF-format via e-mail to your customers and partners? You should probably evaluate digitally signing not only the PDF-file but also the e-mail sent. In Sweden only, there are about 40 000 scam invoices sent every year. As more and more companies chose to send their invoices digitally this opens up an even more dangerous avenue.
A scam invoice is bad enough but delivering it digitally also opens up the possibility to incorporate malware in the PDF-file. Hard to do? Nope. It can be done by anyone. Basically one need a few things to complete the scam:

1)      An infected PDF-file
2)      A genuine source to spoof
3)      A recipient

One would simply do this:
1)      Download Social Engineering Toolkit. If you have trouble setting it up, download Kali Linux with all sorts of nifty tools, including SE Toolkit, installed for you.

2)      Start the software and select the options that will guide to the creation of a hostile PDF.
  1. Social-Engineering Attacks
  2. Infectious Media Creator
  3. File-Format Exploit
  4. Adobe PDF Embedded EXE Social Engineering
  5. Use your own PDF for attack
3)      So you pick your PDF that looks like a genuine invoice, select an exploit from the repository and generate the infected file.

4)      Set up the e-mail client with any valid sender e-mail address. Pick your favourite phone company, bank, credit card company or similar. Something the recipient will recognise.

5)      If needed download some email server software also so you bypass any sending mail server filtering stuff.

6)      Now craft the e-mail to look like a genuine e-mail and add some eye-catching things like “Your invoice is default”, “Late payment” or similar. This will trigger the recipient to open the attachment.

7)      Send the e-mail and that’s it.

Now, all of this can be done by anyone. All the skills needed are how to download and install software, collect a genuine PDF-file or create one in a word processing software and save as PDF, click through a menu and send an e-mail.

Some financial institute, government organizations and companies have started to digitally sign the files so that the recipient should know where the file comes from and that it has not been tampered with. However, once the recipient has opened the file and maybe discovers that the file is bogus, well it’s too late then. The file has been executed and the malware has been planted.

How do we prevent this? Well, we cannot prevent anyone from opening an attachment and we cannot prevent anyone from sending an e-mail that look like it comes from anyone. But, what we can do is used digitally signed e-mails. A certificate to digitally sign e-mails cost around 100 EUR and it will immediately tell the recipient who sent the e-mail.

So anyone sending invoices and similar should have the courtesy to digitally sign the e-mails and provide this extra level of security for their customers.