Barracuda security researchers are warning of a recent surge in phishing attacks leveraging Adobe InDesign, a known and trusted document publishing system. Some of the attacks are targeted.
According to Barracuda telemetry, there has been a near 30-fold increase since October in emails carrying Adobe InDesign links. The daily count has jumped from around 75 per day to around 2,000 per day. Almost one in 10 (9%) of these emails carry active phishing links. A further 20% or so include removed content.
Many of the phishing links seen by Barracuda researchers have the top-level domain of “.ru” and are hosted behind a content delivery network (CDN) that acts as a proxy for the source site. This helps to obscure the source of the content and makes it harder for security technologies to detect and block the attacks.
Advanced to very basic attacks
Some of the attacks leveraging Adobe InDesign appear to be targeted at specific organizations or users. These emails carry legitimate brand logos that have probably been copied from other content or scraped from websites by the attackers. The logos are likely to have been chosen because they are known and trusted by the targets — and suggest the attackers spent time and resources crafting these messages.
All the attacks are relatively straightforward and consistent in their approach, inviting the recipient to click on a link that will take them to another site, hosted on the indd.adobe[.]com sub domain but actually controlled by the attackers, for the next stage of the attack.
Why these attacks succeed
Phishing attacks continue to evolve to become more sophisticated, deploying different techniques and tactics to bypass security detection and trap victims.
The attacks leveraging Adobe InDesign employ several tactics to evade detection and trick targets.
- First, they leverage a known and trusted domain that is not commonly block listed.
- Second, by using a publishing program they can create highly convincing social engineering attacks.
- Third, once the recipient clicks on the link, they are moved to another web page. This means that there is no known malicious URL link in the main body of the message for traditional security tools to detect and block.
- Fourth, for those attacks hosted behind the CDN, this further helps to obscure the malicious source of the content and makes it harder for security technologies to detect and block.
How to stay safe
To stay protected it is important to have advanced, multilayered and AI-powered email security in place, capable of spotting emerging as well as known threats.
This should be accompanied by regular cybersecurity awareness training for employees. The training should be updated whenever new threat trends appear so that employees know what to look out for and what to do if they spot a suspicious or malicious email.
Barracuda’s detection data shows that some of the phishing attacks leveraging Adobe InDesign targeted multiple employees within the same organization — and the rapid reporting of and response to such attacks can stop it in its tracks.
Barracuda LinkProtect
Barracuda Email Protection includes a link protection capability to ensure users do not click on any malicious URLs.
LinkProtect wraps every link in an email that passes through its gateway product, and an analysis is performed at time of click of every URL to identify if the link is good or bad. In addition, LinkProtect’s ability to act as a protective layer between the email and the recipient is critical because it serves as the last line of defense in case the threat is new or unknown.
Photo: Romolo Tavani / Shutterstock
