Scammers Use Adobe Cloud Accounts to Collect Credentials

In a new but not particularly original campaign to trick people and collect information, threat actors have been running a campaign abusing the services offered by the Adobe Cloud.

The campaign uses the Adobe Cloud accounts created by the threat actors. Those accounts are used to send potential victims corrupted files.

Security researchers working with Avanan, a security company acquired by infosec giant Check Point in the second half of 2021, discovered the threatening campaign back in December.

Corrupted PDFs Used

According to the research team, the threat actor behind the campaign is targeting Office 365 users primarily, due to the fact that a compromised Office 365 account can be a very convenient tool for gaining persistent and undetected access to a company-wide network. Even though Office users are the primary targets, some attempts to trick people out of their Gmail accounts were spotted too.

The way the attack goes is relatively simple. The threat actors create free accounts on the Adobe Cloud. Those accounts are then used to send out an image or PDF file, with a link embedded inside the file. The corrupted files are sent out over email to the end victims.

Of course, the actual threatening payload contained in the linked files is not hosted on Adobe's Cloud but on external servers operated by the threat actors, making detection more difficult.

Classic Phishing Bait

The user needs to click a couple of confirmation buttons to hit the intended payload on the other end of the link, but the buttons are innocuous and have names such as "Access document" and are displayed while the victim is trying to view the attached corrupted PDF.

While the threat actors have taken care to spoof their emails to look like legitimate addresses assigned by Adobe, the text of the emails carrying the unsafe attachments has multiple grammar and spelling errors in it, undermining the believability of the effort significantly.

The PDF file itself is called "Closing.PDF" - another cheap social engineering trick intended to create a sense of fear and urgency in the victims and get them to do their best to see the contents.

January 13, 2022