{"id":4730,"date":"2023-12-26T07:38:49","date_gmt":"2023-12-26T07:38:49","guid":{"rendered":"https:\/\/shreshtait.com\/blog\/?p=4730"},"modified":"2023-12-26T07:38:50","modified_gmt":"2023-12-26T07:38:50","slug":"the-rise-of-phishing-attacks-targeting-adobe-users-in-india","status":"publish","type":"post","link":"https:\/\/shreshtait.com\/blog\/2023\/12\/the-rise-of-phishing-attacks-targeting-adobe-users-in-india\/","title":{"rendered":"The rise of phishing attacks targeting Adobe users in India"},"content":{"rendered":"\n

Executive Summary<\/strong><\/h2>\n\n\n\n

Shreshta Threat Intelligence<\/a> has uncovered a rise in phishing attacks targeting Adobe users in India. The attack begins by sending emails to employees working at Micro Small and Medium Enterprises(MSME), large enterprises, and luring them to click on a link which impersonates a Purchase Order or a Work Order document.\u00a0<\/p>\n\n\n\n

The attack uses social engineering to deceive the user into believing that the PDF document contains a Purchase Order or a Work Order document and that they need to click on the link and login in order to access or download it.<\/p>\n\n\n\n

After reviewing the phishing campaign, we have concluded that this campaign operates by sending phishing URLs to enterprise users via email.<\/p>\n\n\n\n

The emails lure the user to log in, in order to view or download the documents, thereby deceiving them into providing their login credentials.<\/p>\n\n\n\n

The phishing attacks targeting Adobe users in India has seen a massive uptick in the past few months. <\/p>\n\n\n\n

About Adobe<\/strong>\u00a0<\/h2>\n\n\n\n

Adobe Inc., formerly Adobe Systems Incorporated, is an American multinational computer software company incorporated in Delaware and headquartered in San Jose, California. It has historically specialized in software for creating and publishing a wide range of content, including graphics, photography, illustration, animation, multimedia\/video, motion pictures, and print. Its flagship products include Adobe Photoshop image editing software; Adobe Illustrator vector-based illustration software; Adobe Acrobat Reader and the Portable Document Format (PDF); and a host of tools primarily for audio-visual content creation, editing and publishing.1<\/sup><\/a><\/p>\n\n\n\n

<\/p>\n\n\n\n

Motive<\/strong><\/h2>\n\n\n\n

We can share with moderate confidence that the motive of the threat actors is to harvest the user’s enterprise login credentials such as Microsoft Outlook, Office 365 etc that are used to access the services of Adobe.\u00a0<\/p>\n\n\n\n

<\/p>\n\n\n\n

Technical analysis of phishing attacks targeting Adobe users in India<\/strong><\/h2>\n\n\n\n

In this section, we will unpack how Adobe users in India are being specifically targeted and also share the techniques the threat actors are using to lure enterprise users in clicking the phishing websites.<\/p>\n\n\n\n

Phishing website #1<\/strong><\/p>\n\n\n\n

<\/strong><\/p>\n\n\n\n

Figure 1-\u00a0 <\/strong>The phishing page prompts the user to enter their Adobe Acrobat login credentials<\/em><\/p>\n\n\n\n

The phishing website\u00a0 contains links to the official Adobe Acrobat to make it appear legitimate. <\/p>\n\n\n\n

<\/p>\n\n\n\n

Figure 2 – After entering the password, the website throws an error , stating,\u00a0 “Your email and password do not match. Please try again.”<\/em><\/p>\n\n\n\n

<\/p>\n\n\n\n

Phishing website #2<\/strong><\/p>\n\n\n\n

Figure 3 – The phishing website\u00a0 prompts the user to enter their login credentials to access the PDF document<\/em>
<\/p>\n\n\n\n

Figure 4 – After entering the login credentials and clicking the \u201cVIEW DOCUMENT\u201d button, the user is redirected to a genuine Microsoft support page<\/em>\u00a0<\/p>\n\n\n\n

<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Figure 5 – The phishing page prompts the user to enter their credentials.
The “Forgot Password\u201d is plain text without any associated links\u00a0<\/em><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Figure 6 – The phishing page throws a network connection error<\/em><\/p>\n\n\n\n

The phishing website is poorly constructed, users can only input data into the password field as the username field is grayed out.<\/p>\n\n\n\n

<\/p>\n\n\n\n

Phishing website #3 <\/strong><\/p>\n\n\n\n

Figure 7 – The phishing page prompts the user to enter their Adobe credentials to access, download or send files.<\/em><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Figure 8 – The phishing page prompts the error \u201cPlease fill in all the fields.\u201d after clicking \u201cLogin To View File\u201d<\/em><\/p>\n\n\n\n

Phishing website #4<\/strong><\/p>\n\n\n\n

Figure 9 – The phishing website prompts the user to download the document by clicking the \u201cDownload\u201d button<\/em><\/p>\n\n\n\n

After clicking the \u201cDownload\u201d button, a login pop-up prompts the user to enter their credentials in order to login and access the document.<\/p>\n\n\n\n

Figure 10 – The phishing page prompts\u00a0 the user to enter his Adobe login credentials\u00a0<\/em><\/p>\n\n\n\n

Phishing page #5 <\/strong><\/p>\n\n\n\n

Figure 11 – The phishing website prompts the user to login via their Outlook, Office365, or other mail credentials to view the protected document<\/em><\/p>\n\n\n\n

\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0
Figure 12 – The phishing page prompts the user to enter their Outlook
login credentials<\/em><\/p>\n\n\n\n

<\/p>\n\n\n\n

\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0
Figure 13 – After entering credentials the phishing page shows an
error message to the user\u00a0<\/em><\/p>\n\n\n\n

<\/p>\n\n\n\n

\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0
Figure 14 – The phishing page prompts the user to enter their
Office 365 login credentials<\/em><\/p>\n\n\n\n

<\/p>\n\n\n\n

\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0
Figure – 15 After entering credentials the phishing page shows
an error message to the user\u00a0<\/em><\/p>\n\n\n\n

<\/p>\n\n\n\n

\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 Figure 16 – The phishing website also prompts the user to enter
via other mail credential of the user<\/em><\/p>\n\n\n\n

<\/p>\n\n\n\n

\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0
Figure 17 – Upon entering the credentials the phishing page shows
and error<\/em>\u00a0<\/p>\n\n\n\n

<\/p>\n\n\n\n

Safety Recommendations<\/strong><\/h2>\n\n\n\n
    \n
  1.  An SMS\/email\/Whatsapp message with a tone of urgency should be dealt with with extreme caution. This is true, especially in the case of any message from any organization.<\/li>\n\n\n\n
  2. Always reach out with the organization and verify suspicious messages\/emails before taking any action at your end. <\/li>\n\n\n\n
  3. If you become a victim of cybercrime, particularly financial crime, call the national (India) cybercrime helpline 1930 or file a complaint at https:\/\/cybercrime.gov.in\/<\/a> <\/li>\n\n\n\n
  4. Shreshta Protective DNS<\/a> blocks phishing, malware, newly registered domain names and other malicious communication in real-time. For enterprises, please email info@shreshtait.com for a free 30-day trial.\u00a0
    <\/li>\n<\/ol>\n\n\n\n

    Conclusion<\/strong><\/h2>\n\n\n\n

    With the growing cyber threat landscape, threat actors continue to operate phishing campaigns at scale and it\u2019s important to stay vigilant and not fall prey to phishing scams. <\/p>\n\n\n\n

    By staying informed and vigilant, users can significantly mitigate the risk of falling victim to these sophisticated attacks.
    <\/p>\n\n\n\n

    Free 30-day trial of our threat intelligence<\/strong><\/h2>\n\n\n\n

    Threat actors constantly optimise and evolve their attacks to steal credentials and data and infiltrate networks. Our threat intelligence feeds are highly actionable and curated to protect against phishing, malware, C2 and newly registered domain names. <\/p>\n\n\n\n

    Interested? Please send us an email to info@shreshtait.com for a free 30-day trial. <\/p>\n\n\n\n

    References<\/strong><\/h2>\n\n\n\n

    A few other blog posts that you might be interested in,<\/p>\n\n\n\n

    \n
    Phishing Campaign targeting State Bank of India users<\/a><\/blockquote>