When Sophos Phish Threat was released in January, we pointed out that:
- Email remains one of the most problematic sources of infection; and
- It’s the ordinary, well-meaning people who often let poisonous emails into their organizations.
Phishing is an old problem, but news stories continue to show that people remain easy prey.
New attacks, old tactics
A recent Naked Security article outlined the bad guys’ efforts to infect their prey using scams centered around tax season, with the Internal Revenue Service (IRS) warning of fresh email schemes targeting tax professionals, payroll staff, human resources personnel, schools and average taxpayers. In another scam, attackers polluted Amazon listings with links that redirected victims to a very convincing Amazon-looking payment site.
Now come fresh reports that attackers are using malicious PDF attachments and messages that appear to be from their company’s HR departments, as well as bogus Facebook friend requests. [For the full story, read Latest phishing tactics: infected PDFs, bogus friend requests, fake HR emails.]
Microsoft Malware Protection Center team member Alden Pornasdoro warned of the malicious PDF files. Unlike in other spam campaigns, he wrote, the PDF attachments in question don’t contain malware or exploit code. Instead, they rely on social engineering Read more