Cyber criminals attack businesses in Adobe-themed phishing surge

Security researchers have warned of a sharp increase in phishing emails carrying Adobe InDesign links with attackers targeting specific organizations and users. Since October, there has been a near 30-fold rise in malicious emails carrying Adobe InDesign prompts, according to data from cyber security firm Barracuda.

Many of the phishing links seen by Barracuda researchers have the top-level domain of “.ru” and are hosted behind a content delivery network (CDN) that acts as a proxy for the source site. This helps to obscure the source of the content and makes it harder for security technologies to detect and block the attacks.

The emails carry legitimate brand logos likely copied from other content or scraped from websites by the attackers, the researchers wrote. The logos have probably been chosen because they are known and trusted by the targets and suggest the attackers spent time and resources crafting the messages, they added.

A separate cyber security advisory from the US Cyber Security Infrastructure and Security Agency (CISA) warned of threat actors exploiting a vulnerability in Adobe ColdFusion. The vulnerability – CVE-2023-26360 – presents as an improper access control issue and exploitation can result in arbitrary code execution.

Attacks employ several tactics to evade detection and trick targets

All the attacks assessed by Barracuda are relatively straightforward and consistent in their approach, according to the research team. They invite the recipient to click on a link that will take them to another site, hosted on the indd.adobe[.]com sub domain but actually controlled by the attackers for the next stage of attacks. Cyber Security Hub requested more information on the next steps of the attacks, which was not provided at the time of writing.

The attacks leveraging Adobe InDesign employ several tactics to evade detection and trick targets. These include:

• Leveraging a known and trusted domain that is not commonly block listed.
• Using a publishing program to create highly convincing social engineering attacks.
• Moving recipients to another web page once the link is clicked so there is no known malicious URL in the main body of the message for traditional security tools to detect and block.

Phishing attacks try to bypass security risk radars

“These kinds of phishing attacks try to bypass security technologies and employees’ own personal risk radars. It is important to ensure both are ready to defend against the threat,” John Flatley, consulting solutions engineer, email protection EMEA at Barracuda, tells Cyber Security Hub. “Look for security that offers link protection capability as this can check whether links are malicious or benign. It’s even better if your security applies machine learning techniques to detect unusual links and URLs that may not yet have been flagged as malicious.”

In addition, employees need to know what to look for and what to do if they spot a suspicious or malicious message. “Well-trained, alert employees are your human firewall. It only takes one employee to report a suspicious threat for an organization’s IT team to be able to investigate it and then, if necessary, to remove it automatically from any other inboxes.”

Generative AI enhancing phishing attacks

Phishing remains one of the most common and pervasive cyber threats businesses face. The State of Phishing Report 2023 by SlashNext detected a 1265 percent increase in malicious phishing emails since Q4 2022. This is partly driven by the growth of generative AI such as ChatGPT and its ability to enhance the scale and complexity of phishing attacks. “AI chatbots like ChatGPT have lowered the barriers to creating sophisticated business email compromise (BEC) attacks and improved malware,” the report read.

Other key findings include an average of 31,000 daily phishing attacks, with 68 percent of these identified as text-based BEC. Credential phishing also showed significant growth with a 967 percent increase, driven mostly by the demand of ransomware groups looking for access to companies in exchange for money, according to the report.