PDF Files And Phishing Attacks

The people who use computers have a love and hate affair going on with the technology that is known as PDF files. While a lot of people do not mind them and they seem to make documents a little easier to read, other people hate them and think that they undermine what the web was initially intended to do. They think that the fact that it takes so long to bring one up in your browser kills the whole web experience and they block them from even running.

While some of these points may be true they certainly all are not. PDF files are a great middle man for when you need a document that a web site is just not going to be able to get across. If you need a file to look just like it does in a magazine or in a book, then a PDF file is a great thing to use no matter how long it takes to download. And let’s keep in mind that most people who have web access have broadband and it does not take them that long to download a PDF file.

PDF Files And Phishing Attacks

The security problems when it comes to PDF files

But there are certain concerns that must be shared when it comes to PDF files. While they definitely serve a purpose, they do have their problems as well. Some people tend to think of a PDF file as safe and they will open one up no matter what web site they are on. That is not a smart thing to do and you should really think about security when attempting something like that. Black hat hackers have found several different ways that they are able to expose your computer to attacks by you opening up rogue PDF files. One of these ways is through what is known as a phishing attack.

What is a phishing attack?

The idea of a phishing attack is quite simple. You pretend as if you are the legitimate web site or a file coming from a web site when in reality you are fake. You are actually the front for some sort of online criminal. When attacks like this happen, people automatically think of a black hat hacker but an attack like this is so simple that you do not need to be a hacker to pull it off. In fact a good graphic designer might be more important than a hacker when pulling off a phishing attack.

So how can PDF files be used in a phishing attack?

A PDF file can be used in two different ways to perform a phishing attack. You can either set the PDF to look like it came from an official institution and have people open up the file. When they open it, they click on the wrong link and they are sent to a web site which is going to infect their computer. Another way that you can become infected with a phishing attack by a PDF file is if you get the PDF file to include a JavaScript redirect that takes you to a web page that you do not want to go to. Yes, PDF files are able to run JavaScript just like a web page is able to. And since they have that capability, they are able to do the same things that JavaScript in a web page is able to do.

A lot of people do not know that a PDF file is able to run JavaScript so they do not ever think of this type of attack when they are opening it. This is why an attack like that is so effective. You are able to run it and the person is truly surprised that they are being directed to go to a new web page without much interaction from them.

Phishing attacks are not the only problem with PDF files

Because of the ability to run JavaScript in a PDF file and also the executable nature of the PDF files themselves, black hat hackers have found that they can hide other types of exploits in there as well. There are several 0-days that Adobe has to stop or they would render the PDF format useless. A 0-day is an attack on a security hole that no-one but the attacker knew about previously.

So what does all of this mean when it comes to PDF files? It means the same thing as with other files as well. You have to be careful with them and you have to make sure that you scan them with a good antivirus software solution when you get them on your computer. A lot of people think that they are harmless but as you can see from this article, they really are not.

About Lee Munson

Lee's non-technical background allows him to write about internet security in a clear way that is understandable to both IT professionals and people just like you who need simple answers to your security questions.

Speak Your Mind