A new email-based social engineering attack employing the PDF /Launch technique to infect computers with malware has been spotted in the wild. The malicious messages trick users into opening rigged PDF files by claiming they contain the fresh POP3/SMTP connection settings.
At the end of last month, Didier Stevens, an IT security consultant and researcher based in Belgium, revealed
a social engineering technique that he dubbed "escaping from PDF." The attack relies on abusing the "/launch" functionality as described in the PDF specification to trick users into allowing malware embedded in PDF files to run.
Even though Stevens did not publicly disclose the technical details of his approach, it wasn't long until cybercrooks figured it out and incorporated it in their malware distribution campaigns. In mid-April, security vendor Sophos reported
seeing the first in-the-wild attack using this method.
The new attack is well-constructed and the rogue emails are made to appear as if they are coming from the mail server administrator. Their "From" field is spoofed to display a system@[your_email_domain] address.