back to article Old-school cruel: Dodgy PDF email attachments enjoying a renaissance

The last few months have seen a big increase in malware attacks using PDF email attachments, according to security firm SonicWall. "Increasingly, email, Office documents and now PDFs are the vehicle of choice for malware and fraud in the cyber landscape," said the outfit's Bill Conner. There's nothing new in this, of course, …

  1. alain williams Silver badge

    Very lacking in specifics ...

    What operating systems, version; what PDF readers, etc ? Some details as to where holes have been found in the last year or few.

    Eg: is MS Windows 10 any better than 8 ? What versions of MacOS ? What Linux distros ? Or do they assume that everyone runs MS Windows 10 ?

    OK: can't predict the future, but knowing what has been vulnerable in the past can suggest what to avoid.

    1. mark l 2 Silver badge

      Re: Very lacking in specifics ...

      I suspect it will be the usual suspect of Acrobat reader, which is a notoriously bloated insecure mess that needs killing with fire along with the other gaping security hold from Adobe, Flash.

      The PDF file format should have been left as a way of distributing documents where the layout is preserved no matter what device it was viewed on. There was no need to add in all the other functions and features that they have which make it a target for malware.

      1. phuzz Silver badge
        Facepalm

        Re: Very lacking in specifics ...

        "The PDF file format should have been left as a way of distributing documents"

        The irony is that PDF was originally intended to be a much simpler version of Postscript, without any of the (Turing complete) bells and whistles.

        Of course, thirty something years later it's so bloated that Postscript looks positively svelte by comparison.

    2. bombastic bob Silver badge
      Linux

      Re: Very lacking in specifics ...

      I would guess that anything using an adobe plugin or a browser built-in viewer is susceptible.

      I suspect that a save to disk folllowed by 'file open' from the PDF viewer application (let's say evince or atril) wouldn't pose a problem. However, double-click from an "explorer" type view might, depending (even after saving the file with the right extension). In particular, windows would look at the file type which could be a PE executable even with PDF file extension...

      and it's a fair bet that non-windows systems aren't affected so much, right?

    3. robidy

      Re: Very lacking in specifics ...

      The press release is also missing the obligatory we are No. 1 in xyz recent survey...do Sonic Wall have problems?

    4. arctic_haze Silver badge

      Re: Very lacking in specifics ...

      Some info on which PDF viewers are affects would b useful. That Adobe's crapstack is affected is a sure thing but is the Mozilla internal PDF viewer? Is Foxit? Or Sumatra? Or any of the Linux viewers?

  2. Anonymous Coward
    Anonymous Coward

    Let's make these statements a bit more precise

    "Increasingly, email, Office documents and now PDFs are the vehicle of choice for malware and fraud on xxx platform with yyy application in the cyber landscape ," said the outfit's Bill Conner.

    I'm willing to bet it's Windows and Adobe.

    It's time to hammer this one home every. single. time so the corporate nitwits actually start paying attention and put some effort in. MS and Adobe have been getting away with this crap for decades, clearly they don't see the point in doing a proper job unless shamed (OK, not sure if shaming will make a difference either but just continuing to accept this crap is IMHO not an option either.

    We'll start testing Macs, I think.

    1. Anonymous Coward
      Anonymous Coward

      Re: Platform?

      Is a redundant question if the link is "Please enter your credentials" phishing.

  3. ThatOne Silver badge

    Procedures

    Maybe the best idea is to have some exotic PDF reader for unknown/suspicious PDF files. It can be buggy as hell, but if it is exotic and rarely-used enough, no exploit will be tailored for it, and you're safe. If the PDF turns out to be legit after all, you can aways open it with a more mainstream reader to take advantage of all the bells and whistles.

    1. Anonymous Coward
      Anonymous Coward

      Re: Procedures

      Unless, of course, the PDF app you're using is the actual spyware. I've come across a few, so I'm not quite convinced that will help ..

      1. ThatOne Silver badge

        Re: Procedures

        Well, I think some due diligence should prevent that. Even people who have no clue and/or are new to this can always ask somebody among their friends and family for some suggestions.

        Obviously if you download that program with the suspiciously familiar-sounding name/icon and no developer info you found at some pr0n/warez site, you're programmed for failure, but in this case you most likely wouldn't even try this method, as clicking eagerly on any suspicious link keeps you too busy for anything else.

    2. bombastic bob Silver badge
      Devil

      Re: Procedures

      on Linux or FreeBSD I use atril which is the default for Mate, I believe. On windows I go ahead and use evince since it has a windows version available.

      I stopped using Adobe's PDF reader years ago, after seeing it bundled with a Windows 7 machine [rconditioned] and it TRIED TO INSIST THAT I PROVIDE AN E-MAIL ADDRESS just to view a PDF. I couldn't uninstall it fast enough...

    3. phuzz Silver badge
      Trollface

      Re: Procedures

      I use SumatraPDF, but just to be on the safe side, I run it in a VM copy of Vista, which is running on top of Knoppix Live CD, in an emulator running on an Amiga 4000T.

      All this is set up in the next room, and I operate it with some long sticks and pair of binoculars.

      Better safe than sorry :)

  4. DMcDonnell

    DjVu

    I miss the simplicity of DjVu

    1. Suricou Raven

      Re: DjVu

      The file structure was a lot easier to parse than the torturous horror that lurks within PDF.

  5. Camilla Smythe

    My latest batch of...

    Caught you watching pron e-mails request that I copy and paste a bitcoin wallet address from a .jpg image because it is case sensitive. I assume everyone else has been getting the case sensitive part wrong so my new owners are trying to make stuff easier. I still haven't worked out how to copy and paste from a .jpg image. Any pointers? I seem to have already missed a number of deadlines so apologies to anyone who has received a collection of poorly focused images of me having a fap.

    1. WolfFan Silver badge

      Re: My latest batch of...

      I got a few of those. I thought that they were really funny as:

      1 the only machine I use which has a camera built in is my laptop, which I use exclusively for business, not cruising for le pr0n. The desktop machines might have a USB camera attached, but only when I'm about to use it for something like a video call or some such. The camera is usually unplugged when not in use, and I just have the one camera which moves around as necessary. It's _impossible_ for _anyone_ to have video of me watching le pr0n.

      2 the email address and password in question was a throw-away Yahoo account, which hasn't been used in five years. And which was set up to be used on places where I didn't want to use a valuable account. (Like, oh, El Reg. I use a different throw-away account here. I've got plenty.) I suspect that the Yahoo account was one of the x billion accounts revealed upon the world in the Great Yahoo Hack. I don't care. I do find it funny that I had three throw-away Yahoo accounts, but only one is ever referenced in these kind of attempted extortion. It's as if the twits are too lazy to dig all the way down to the bottom of the admittedly big pile of leached Yahoo accounts.

      3 because that was a throw-away email address, the only items in the contacts list are places that I don't care about. Even if they did have real pix/vids/whatever, they could send 'em to those places and I simply wouldn't give a damn. If, for example, someone sent some p0rn-watching vids to El Reg, I'm pretty sure that the only reaction would be envy. (Hint: I don't usually watch p0rn alone...) Now, SWMBO might be a tad upset. As she has been known to state (accurately) that she is somewhat to the right of that pinko commiesimp Genghis Khan, who was much too soft and needed to be shown how to really make his enemies pay, (now you know why she must be obeyed. And why le p0rn-watching is what _she_ likes...) this might not be the best idea. Just a thought.

      All-in-all, those little notes are excellent sources of amusement.

      1. Bronek Kozicki Silver badge

        Re: My latest batch of...

        All-in-all, those little notes are excellent sources of amusement.

        they are quite useful to me - for tuning the selection of RBLs to use on a small postfix I happen to administer. Just today added barracudacentral for the one which has slipped by spamcop, abuseat and spamhaus.

  6. Walter Bishop Silver badge
    Linux

    Malware in the cyber landscape?

    The last few months have seen a big increase in malware attacks using PDF email attachment .. many recent attacks have relied on getting users to click links in emails leading to infected webpages instead of requiring them to open an attachment, as was traditional.”

    Good Grief!

    In many cases, targeted PDFs use zero-day exploits for browsers

    Well then, there's your answer right there, we must ban outright browsers from connecting to the Internet.

    1. bombastic bob Silver badge
      Meh

      Re: Malware in the cyber landscape?

      or maybe stop viewing PDFs embedded within a browser [which is probably where the vulns are]

  7. Nameless Dread

    PDFs nogo in FF - Vivaldi OK

    Just in case anyone's interested - PDFs don't open any more for me in Firefox ( with with add blocker, on Windows 7) so I have switched default PDF application to Vivaldi - works fine. Useful for tax and other docs from secure sites.

  8. Tom 7 Silver badge

    Pointless Document Format

    I want screen shaped documents not archaic shit I often have to print to read comfortably.

    1. ThatOne Silver badge

      Re: Pointless Document Format

      On the other hand the alternative is handing around MS Office documents, either carrying revisions and information that should had never left the office, or a bunch of code that you'd rather not allow into yours...

      It's damned if you do, damned if you don't.

      1. bombastic bob Silver badge
        Devil

        Re: Pointless Document Format

        " the alternative is handing around MS Office documents"

        Agreed, it's a whole lot worse than PDF. PDF (in spite of the article's point) is (one of) the least likely non-plaintext document format(s) to have serious malware problems [so long as you aren't viewing it with Adobe's reader]

        HTML content e-mail is worse than PDF. no, seriously. hiding actual the link as phishing clickbait, for starters...

    2. Anonymous Coward
      Anonymous Coward

      Re: Pointless Document Format

      Screen shaped as in 16:9, 3:2, 4:3, 5:4, 21:9? And the respective portrait modes?

    3. jelabarre59 Silver badge

      Re: Pointless Document Format

      I want screen shaped documents not archaic shit I often have to print to read comfortably.

      Whatever happened to reflowable PDF? Or am I misremembering some spec that was promised and never delivered?

  9. SNAFUology
    Happy

    Easy Peasy

    Don't use Adobe - for anything.

    use an alternative, eg in browser viewer or a separate standalone alternative that does not run scripts - many are available.

    1. Stork Bronze badge

      Re: Easy Peasy

      Not fair - LightRoom is ok, at least at Version 5 which I am on. But apparently it bloated later...

  10. liac

    AI ???

    How come no enterprising technology marketing pundit has suggested A.I. as a solution?

  11. BexD

    Caught out

    I received one such e-mail - from an existing customer at a large UK company. The lady is of few words and the mail simply said please see attached. This is normally roughly how she places orders (with a PDF of her purchase order). I tried to open it and nothing happened. Several days later my e-mail went crazy and sent out the same email to every contact, and even some I had never even heard of (perhaps copied on emails I had been sent?). Hundreds of people contacting me via phone and I had no idea because the replies were automatically set up to go into my deleted items folder. Luckily my partner saw what was happening and we managed to wipe my laptop, change passwords and re-install but the damage was done. Why would I not open something from a customer if it was a similar format to orders they normally send me? I'm assuming it was spying on me because the carnage then sent from my own e-mail was at least 4 working days after I had tried to open the PDF. I despise the cretins who build these and the damage they cause to small businesses trying hard to make a living !

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019