Adobe has historically specialized in software for the creation and publication of a wide range of content, including graphics, photography, illustration, animation, multimedia/video, motion picture, and print.
During our PreCrime internet scout of November 4th 2022 we identified suspicious markers across multiple vectors. One of those was this website spoof that could be targeting unsuspecting Adobe customers.
The Attack
Target:
- Customers of Adobe
Possible threats:
- Credential harvesting – After luring users to the site, they are asked to login to their Adobe account using either their customer or enterprise ID, allowing threat actors to take control of their account and steal their personal information.
- Thousands of companies around the world use one of Adobe’s solutions, with more than 400 billion PDFs opened in Adobe products in the previous year. Any company employing an Adobe solution could be left vulnerable to such an attack, resulting in leaked company credentials and internal confidential data.
- With 51% of people using the same passwords for both their work and personal accounts, any stolen credentials may provide threat actors with internal access to a company network leaving them vulnerable to financial loss, sensitive and confidential data leaking, as well as further cyber attacks such as ransomware.
- Previous data breaches in Adobe has resulted in millions of exposed user data. Such a scam could also result in the exposure of thousands of user data. Depending on the amount of data stolen within Adobe and any connected company, a data breach could result in up towards 4.3 million USD.
Malicious sites: adobe-login[.]tk adobe.rn47gaming[.]repl[.]co |
Legitimate site: adobe[.]com |
Technical Breakdown
Threat Indicators
- Malicious domains impersonating Adobe Inc. that attempts to trick visitors into sharing personal information
- DNS records of malicious domain different to Adobe Inc.
- Newly registered site – November 7 2022
- Registered using a free TLD (.tk)
- SSL certificates expire after three months
- IP address blacklisted
Detection and Threat Analysis
The malicious domains are targeting Adobe Inc., an American multinational computer software company and the global leader in digital media and marketing solutions. The malicious domain was created November 7 2022 and detected by Bfore.Ai November 8, 2022.
-
The malicious domain shows users who visit the site a login page for Adobe. Users are asked to verify their identity by entering their email address and password. Users also have the option to sign in with an Enterprise ID for users belonging to a company or school. After entering credentials and clicking on sign in, the site redirects the user to the legitimate Adobe website. At this point, the threat actor will have stolen the users credentials and thereby have access to their account and personal information. Other links on the page, including the Facebook and Google login options, do not work.
-
The DNS records are different to the DNS records of the legitimate website. The main point of interest is that the legitimate domain is registered under it’s own organisations name (Adobe Inc.), whereas the malicious domain is registered with different certificates, and IP addresses without including an organisation name. Legitimate companies will always include their organisation name in DNS records in order to verify their legitimacy as Adobe Inc. has done. See further details and comparison between the malicious and legitimate domain below.
-
The registered SSL certificate expires after three months and is issued by a non-trusted certificate issuer (Let’s Encrypt), indicating malicious intent. Legitimate companies will more commonly ensure their certificate lasts at least 1 year and as mentioned earlier, include their organisation name (Adobe Inc).
-
The domain resolves to an IP addresses located in the U.S that has been blacklisted by SPFBL. The IP address has mainly .EXE (executable file for Windows operating system) malicious traffic, most of which has been active within the last three months.
Graph
VirusTotal Graph
DNS Record
Domain | adobe-login[.]tk | adobe[.]com[.] |
---|---|---|
Domain Creation and Expiration | Created on 2022-11-07 Expires on Unknown Updated on Unknown 1 day old |
Created on 1986-11-17 Expires on 2023-05-17 Updated on 2022-04-23 13,140 days old |
Registrant | Unknown | Adobe Inc. |
Registrar country | Unknown | United States |
Certificate | Issued by: Let’s Encrypt
Issued to: The domain 07-11-2022 -> 05-02-2023 Valid for 3 months |
Issued by: DigiCert Inc
Issued to: Adobe Inc 10-10-2022 -> 10-10-2023 Valid for 1 year |
Name Servers | yevgen.ns.cloudflare.com
lola.ns.cloudflare.com |
a26-66.akam.net
a13-65.akam.net a28-67.akam.net a7-64.akam.net a10-64.akam.net a1-217.akam.net adobe-dns-01.adobe.com adobe-dns-03.adobe.com adobe-dns-04.adobe.com adobe-dns-05.adobe.com |
MX record | N/A | adobe-com.mail.protection.outlook.com
adobe.mail.protection.outlook.com |
Last seen active | 8 November 2022 | 8 November 2022 |
IP address | 34.132.134.162
Iowa, United States AS396982 Google LLC ISP: Google LLC |
23.216.147.187
Washington, United States AS20940 Akamai International B.V. ISP: Akamai Technologies, Inc. |
Blacklisted | SPFBL | N/A |
How Bfore.Ai is protecting our customers
At Bfore.Ai, we work daily to ensure these phishing attacks get stopped before even reaching their targets. We are here to make your internet journey safer than it has ever been.
With more than 30K new malicious indicators per day we got you covered no matter where the attack comes from. Only 0.05% false positive rate, stop wasting time in false alerts chasing. By launching our PreCrime and PreEmpt technologies, we measure our anticipation from an attack starting, faster than attackers.
Accepting that the only defense is good detection, is accepting to be forever a victim. We believe in prevention more than response. Visit our website for more information !
Bfore.Ai’s recommendations
Every day, adversarial tactics become more collaborative, technologically advanced, and rapid – and at this rate, you simply can’t afford to wait for the next attack before you react. Here are some recommendations from our team :
- Pay close attention to the URL
- Check connection security indicators (the lock)
- Read emails carefully
- Look for trust seals
Appendix
This document and its contents do not constitute, and are not a substitute for, legal advice. The outcome of a Security Risk Assessment should be utilized to ensure that diligent measures are taken to lower the risk of potential weaknesses be exploited to compromise data.
Although the Services and this report may provide data that Client can use in its compliance efforts, Client (not Bfore.Ai) is ultimately responsible for assessing and meeting Client’s own compliance responsibilities. This report does not constitute a guarantee or assurance of Client’s compliance with any law, regulation or standard.