Email users warned of PDF risk - Techwatch Support Forums: Digital & Satellite TV, FTA, Cable, Computers, Mobile Phones, Apple and General Tech Forums

BGonaSTICK · 03-08-07, 02:24 PM

Security vendors have warned email users to be as vigilant about PDF attachments as they would for other documents, after seeing a sharp rise in spam embedded within PDF documents.

Email security vendor Messagelabs reports that PDFs made up 20 percent of image-based spam messages in July, up 10 percent on the month prior. Image-based spam makes up around 22 percent of total spam, the company said.

The security company believes attackers are using the PDF format because it more easily bypasses antivirus and anti-spam filters, and that users tend to trust the authenticity of a PDF over other types of documents, even if they don't recognise the sender.

"People have a mindset that the PDF is a locked document," said Andrew Antal, marketing director for MessageLabs. "Anybody can open and make changes to a Word or PowerPoint document sent over email. With a PDF there is a little more assurance that the file in unchangeable, and is thus in a safe state to receive."

Marshal Software chief executive Ed McNair says PDF spam is more difficult for an organisation to detect.

In a recent interview McNair said PDF spam tends to arrive as an attachment in a PDF file. "Once opened it displays the spam message, whether that's a stock trading or an advert for some bogus health product."

"Organisations are finding it very hard to detect PDF spam at the moment, because it doesn't behave in a normal fashion," he said.

Antal said most security software solutions rely on detecting spam by searching for patterns within a message.

"The filtering engines are far smarter when it comes to looking for patterns within Word, PowerPoint on Excel documents than PDFs," he said. "The algorithms are different."

While it is very difficult for an attacker to embed any malware within a PDF file, the spam nonetheless can present a malware risk.

On most PDF spam captured so far, the malware doesn't sit within the PDF and can't be executed by merely opening the PDF, but tends to be hidden in web links within the document.

A victim would have to not only open the PDF but also click a link within it to risk infection.

"These links are often pointing to websites in which malware resides," Antal said.

He said the PDF spam once again shows that organisations need a layered defence to better arm themselves against such threats — with security software deployed at the gateway, at the client and at the server.

Analoguesat · 03-08-07, 10:01 PM

These have been around for a few weeks now. My email address gets dozens of them every week.

Gav · 03-08-07, 11:29 PM

Oh the beauties of having whitelisted e-mail and a separate spam address 8)

BGonaSTICK · 04-08-07, 01:13 AM

I've had a shedload of these recently, and I love them.

I don't ever have to look at the ***** they contain!

Here is my top tip for dealing with PDF spam.

1) If an unexpected email comes from someone called Ezmeralda, is titled 'Hi' and has a PDF document attached with the name of 'readme.pdf', delete it without opening the attachment.

03-08-07, 02:24 PM	#1 (permalink)
BGonaSTICK Dodgy Geezer Join Date: Nov 2005 Location: Brighton Posts: 9,718 Thanks: 3 Thanked 163 Times in 57 Posts	Email users warned of PDF risk Security vendors have warned email users to be as vigilant about PDF attachments as they would for other documents, after seeing a sharp rise in spam embedded within PDF documents. Email security vendor Messagelabs reports that PDFs made up 20 percent of image-based spam messages in July, up 10 percent on the month prior. Image-based spam makes up around 22 percent of total spam, the company said. The security company believes attackers are using the PDF format because it more easily bypasses antivirus and anti-spam filters, and that users tend to trust the authenticity of a PDF over other types of documents, even if they don't recognise the sender. "People have a mindset that the PDF is a locked document," said Andrew Antal, marketing director for MessageLabs. "Anybody can open and make changes to a Word or PowerPoint document sent over email. With a PDF there is a little more assurance that the file in unchangeable, and is thus in a safe state to receive." Marshal Software chief executive Ed McNair says PDF spam is more difficult for an organisation to detect. In a recent interview McNair said PDF spam tends to arrive as an attachment in a PDF file. "Once opened it displays the spam message, whether that's a stock trading or an advert for some bogus health product." "Organisations are finding it very hard to detect PDF spam at the moment, because it doesn't behave in a normal fashion," he said. Antal said most security software solutions rely on detecting spam by searching for patterns within a message. "The filtering engines are far smarter when it comes to looking for patterns within Word, PowerPoint on Excel documents than PDFs," he said. "The algorithms are different." While it is very difficult for an attacker to embed any malware within a PDF file, the spam nonetheless can present a malware risk. On most PDF spam captured so far, the malware doesn't sit within the PDF and can't be executed by merely opening the PDF, but tends to be hidden in web links within the document. A victim would have to not only open the PDF but also click a link within it to risk infection. "These links are often pointing to websites in which malware resides," Antal said. He said the PDF spam once again shows that organisations need a layered defence to better arm themselves against such threats — with security software deployed at the gateway, at the client and at the server. __________________ Dreambox 7000, Skystar2 PCI, Skystar USB, Fibo 90cm on Moteck SG2100, Triax TD110 multi-LNB. Sky + ART cards. 45.0°E - 58.0°W

03-08-07, 10:01 PM	#2 (permalink)
Analoguesat manic midlander retired mod Join Date: Jan 2006 Location: Scottish Borders Posts: 11,668 Thanks: 21 Thanked 1,334 Times in 985 Posts	Re: Email users warned of PDF risk These have been around for a few weeks now. My email address gets dozens of them every week. __________________ Basic forum rules for both satellite & cable: no keys no patches no offering or asking for card shares Anyone pm'ing me for details of card sharing or anything to do with hacking cable will be banned immediately Analogue forever!!

03-08-07, 11:29 PM	#3 (permalink)
Gav Senior Member Join Date: Feb 2007 Posts: 542 Thanks: 0 Thanked 3 Times in 3 Posts	Re: Email users warned of PDF risk Oh the beauties of having whitelisted e-mail and a separate spam address 8) __________________

04-08-07, 01:13 AM	#4 (permalink)
BGonaSTICK Dodgy Geezer Join Date: Nov 2005 Location: Brighton Posts: 9,718 Thanks: 3 Thanked 163 Times in 57 Posts	Re: Email users warned of PDF risk I've had a shedload of these recently, and I love them. I don't ever have to look at the ***** they contain! Here is my top tip for dealing with PDF spam. 1) If an unexpected email comes from someone called Ezmeralda, is titled 'Hi' and has a PDF document attached with the name of 'readme.pdf', delete it without opening the attachment. __________________ Dreambox 7000, Skystar2 PCI, Skystar USB, Fibo 90cm on Moteck SG2100, Triax TD110 multi-LNB. Sky + ART cards. 45.0°E - 58.0°W