Intelligent CIO Africa Issue 100 | Page 36

FEATURE: SECURING ENTERPRISES be resilient against reputation-based security tools or those that rely on static signatures.
Tips to avoid PDF embedded exploits
However, here are some practical steps for African enterprises to reduce risk
Always verify the sender
Even if the PDF looks legitimate, double-check the sender’ s email address. Cybercriminals often spoof well-known brands or colleagues to trick you into trusting the file.
Be cautious with attachments
If you were not expecting a PDF, especially one prompting you to click a link, scan a QR code, or call a number, treat it as suspicious. When in doubt, do not click the link or document.
Hover before you click
Before clicking any link in a PDF, hover over it to see the full URL. Be cautious of shortened links or those using redirect services like Bing, LinkedIn, or Google AMP.
Use a secure PDF viewer
Modern browsers and PDF readers often have built-in security features. Keep them current and avoid opening PDFs in obscure or outdated software.
Disable JavaScript in PDF viewers
If your PDF reader supports JavaScript, many do, disable it unless absolutely necessary. This reduces the risk of script-based exploits.
Keep security tools updated
Ensure your operating system, browser, and antivirus software are regularly updated. Patches often close vulnerabilities exploited in malicious PDFs.
Trust your instinct
If a PDF seems too good to be true, has unusual formatting and typos, or asks for credentials, it is a trap.
Even though these attacks involve human interaction, the victim must click the link, this is often an advantage for attackers, as sandboxes and automated detection systems struggle with tasks that require human decision-making.
Evasive techniques adopted
Malicious actors continuously adapt their techniques to evade detection by security systems. These techniques show a deep understanding of how different detection methods work, and they are often tailored to bypass specific tools.
URL Evasion Techniques
The most obvious clue that a PDF might be malicious is the link it contains. To avoid detection, threat actors use a range of URL evasion techniques, such as:
Using benign redirect services: Attackers often use well-known redirect services, such as Bing, LinkedIn, or Google’ s AMP URLs, to mask the true destination of the malicious link. These services are often whitelisted by security vendors, which makes it harder for URL reputation-based systems to detect the threat.
QR codes: Another technique involves embedding QR codes in PDFs, which the victim is encouraged to scan with their phone. This approach bypasses traditional URL scanners entirely and adds an extra layer of complexity to the attack.
Phone scams: In some cases, attackers rely on social engineering to prompt victims to call a phone number. This approach eliminates the need for a suspicious URL but requires significant human interaction.
Static analysis evasion campaigns. These campaigns are simple yet incredibly effective. They typically involve a PDF that contains a link to a phishing site or a malicious file download.
Often, the link is accompanied by an image or a piece of text designed to lure the victim into clicking it. These images often mimic trusted brands like Amazon, DocuSign, or Acrobat Reader, making the file look benign.
What makes these campaigns difficult to detect is that the attackers control all aspects of the link, the text, and the image, making it easy to change any of these elements. This flexibility allows these attacks to
PDFs have a complex structure, and many security tools rely on static analysis to detect malicious activity. However, this method is not always effective against sophisticated PDF-based attacks. Attackers can obfuscate the contents of the file, making it harder for security tools to analyse it.
For example, PDFs use annotations to define clickable areas, such as links, but these annotations can be encoded in ways that are difficult for static analysis tools to recognise. Attackers might even exploit the slight differences between how PDF readers interpret these annotations, causing automated systems to miss the malicious intent.
36 INTELLIGENTCIO AFRICA www. intelligentcio. com