A scam invoice is bad enough but delivering it digitally also opens up the possibility to incorporate malware in the PDF-file. Hard to do? Nope. It can be done by anyone. Basically one need a few things to complete the scam:
1)
An infected PDF-file
2)
A genuine source to spoof
3)
A recipient
One would simply do this:
1)
Download Social Engineering
Toolkit. If you have trouble setting it up, download Kali Linux with all sorts
of nifty tools, including SE Toolkit, installed for you. 2) Start the software and select the options that will guide to the creation of a hostile PDF.
- Social-Engineering Attacks
- Infectious Media Creator
- File-Format Exploit
- Adobe PDF Embedded EXE Social Engineering
- Use your own PDF for attack
4) Set up the e-mail client with any valid sender e-mail address. Pick your favourite phone company, bank, credit card company or similar. Something the recipient will recognise.
5) If needed download some email server software also so you bypass any sending mail server filtering stuff.
6) Now craft the e-mail to look like a genuine e-mail and add some eye-catching things like “Your invoice is default”, “Late payment” or similar. This will trigger the recipient to open the attachment.
7) Send the e-mail and that’s it.
Now, all of this can be done by anyone. All
the skills needed are how to download and install software, collect a genuine
PDF-file or create one in a word processing software and save as PDF, click
through a menu and send an e-mail.
Some financial institute, government
organizations and companies have started to digitally sign the files so that
the recipient should know where the file comes from and that it has not been
tampered with. However, once the recipient has opened the file and maybe
discovers that the file is bogus, well it’s too late then. The file has been
executed and the malware has been planted.
How do we prevent this? Well, we cannot
prevent anyone from opening an attachment and we cannot prevent anyone from
sending an e-mail that look like it comes from anyone. But, what we can do is
used digitally signed e-mails. A certificate to digitally sign e-mails cost
around 100 EUR and it will immediately tell the recipient who sent the e-mail.
So anyone sending invoices and similar
should have the courtesy to digitally sign the e-mails and provide this extra
level of security for their customers.