[SCAM ALERT 060] – Adobe

SCAM ALERT (8)

Adobe has historically specialized in software for the creation and publication of a wide range of content, including graphics, photography, illustration, animation, multimedia/video, motion picture, and print.

During our PreCrime internet scout of November 4th 2022 we identified suspicious markers across multiple vectors. One of those was this website spoof that could be targeting unsuspecting Adobe customers.

The Attack

Target: 

  • Customers of Adobe
Possible threats:
  • Credential harvesting – After luring users to the site, they are asked to login to their Adobe account using either their customer or enterprise ID, allowing threat actors to take control of their account and steal their personal information.
  • Thousands of companies around the world use one of Adobe’s solutions, with more than 400 billion PDFs opened in Adobe products in the previous year. Any company employing an Adobe solution could be left vulnerable to such an attack, resulting in leaked company credentials and internal confidential data.
  • With 51% of people using the same passwords for both their work and personal accounts, any stolen credentials may provide threat actors with internal access to a company network leaving them vulnerable to financial loss, sensitive and confidential data leaking, as well as further cyber attacks such as ransomware.
  • Previous data breaches in Adobe has resulted in millions of exposed user data. Such a scam could also result in the exposure of thousands of user data. Depending on the amount of data stolen within Adobe and any connected company, a data breach could result in up towards 4.3 million USD.

adobe1

Malicious sites: adobe-login[.]tk

adobe.rn47gaming[.]repl[.]co

adobe2

Legitimate site: adobe[.]com

Technical Breakdown

Threat Indicators
  • Malicious domains impersonating Adobe Inc. that attempts to trick visitors into sharing personal information
  • DNS records of malicious domain different to Adobe Inc.
  • Newly registered site – November 7 2022
  • Registered using a free TLD (.tk)
  • SSL certificates expire after three months
  • IP address blacklisted

Detection and Threat Analysis

The malicious domains are targeting Adobe Inc., an American multinational computer software company and the global leader in digital media and marketing solutions. The malicious domain was created November 7 2022 and detected by Bfore.Ai November 8, 2022.

  • The malicious domain shows users who visit the site a login page for Adobe. Users are asked to verify their identity by entering their email address and password. Users also have the option to sign in with an Enterprise ID for users belonging to a company or school. After entering credentials and clicking on sign in, the site redirects the user to the legitimate Adobe website. At this point, the threat actor will have stolen the users credentials and thereby have access to their account and personal information. Other links on the page, including the Facebook and Google login options, do not work.

  • adobe 3
  • The DNS records are different to the DNS records of the legitimate website. The main point of interest is that the legitimate domain is registered under it’s own organisations name (Adobe Inc.), whereas the malicious domain is registered with different certificates, and IP addresses without including an organisation name. Legitimate companies will always include their organisation name in DNS records in order to verify their legitimacy as Adobe Inc. has done. See further details and comparison between the malicious and legitimate domain below.

  • The registered SSL certificate expires after three months and is issued by a non-trusted certificate issuer (Let’s Encrypt), indicating malicious intent. Legitimate companies will more commonly ensure their certificate lasts at least 1 year and as mentioned earlier, include their organisation name (Adobe Inc).

  • The domain resolves to an IP addresses located in the U.S that has been blacklisted by SPFBL. The IP address has mainly .EXE (executable file for Windows operating system) malicious traffic, most of which has been active within the last three months.

Graph

adobe4
VirusTotal Graph

DNS Record
Domain adobe-login[.]tk adobe[.]com[.]
Domain Creation and Expiration Created on 2022-11-07
Expires on Unknown
Updated on Unknown

1 day old

Created on 1986-11-17
Expires on 2023-05-17
Updated on 2022-04-23

13,140 days old

Registrant Unknown Adobe Inc.
Registrar country Unknown United States
Certificate Issued by: Let’s Encrypt

Issued to: The domain

07-11-2022 -> 05-02-2023

Valid for 3 months

Issued by: DigiCert Inc

Issued to: Adobe Inc

10-10-2022 -> 10-10-2023

Valid for 1 year

Name Servers yevgen.ns.cloudflare.com

lola.ns.cloudflare.com

a26-66.akam.net

a13-65.akam.net

a28-67.akam.net

a7-64.akam.net

a10-64.akam.net

a1-217.akam.net

adobe-dns-01.adobe.com

adobe-dns-03.adobe.com

adobe-dns-04.adobe.com

adobe-dns-05.adobe.com

MX record N/A adobe-com.mail.protection.outlook.com

adobe.mail.protection.outlook.com

Last seen active 8 November 2022 8 November 2022
IP address 34.132.134.162

Iowa, United States

AS396982 Google LLC

ISP: Google LLC

23.216.147.187

Washington, United States

AS20940 Akamai International B.V.

ISP: Akamai Technologies, Inc.

Blacklisted SPFBL N/A

How Bfore.Ai is protecting our customers

At Bfore.Ai, we work daily to ensure these phishing attacks get stopped before even reaching their targets. We are here to make your internet journey safer than it has ever been.

With more than 30K new malicious indicators per day we got you covered no matter where the attack comes from. Only 0.05% false positive rate, stop wasting time in false alerts chasing. By launching our PreCrime and PreEmpt technologies, we measure our anticipation from an attack starting, faster than attackers.

Accepting that the only defense is good detection, is accepting to be forever a victim. We believe in prevention more than response. Visit our website for more information !

Bfore.Ai’s recommendations

Every day, adversarial tactics become more collaborative, technologically advanced, and rapid – and at this rate, you simply can’t afford to wait for the next attack before you react. Here are some recommendations from our team :

  • Pay close attention to the URL
  • Check connection security indicators (the lock)
  • Read emails carefully
  • Look for trust seals

Appendix

This document and its contents do not constitute, and are not a substitute for, legal advice. The outcome of a Security Risk Assessment should be utilized to ensure that diligent measures are taken to lower the risk of potential weaknesses be exploited to compromise data.

Although the Services and this report may provide data that Client can use in its compliance efforts, Client (not Bfore.Ai) is ultimately responsible for assessing and meeting Client’s own compliance responsibilities. This report does not constitute a guarantee or assurance of Client’s compliance with any law, regulation or standard.