Hacker News new | past | comments | ask | show | jobs | submit login
Deconstructing a Sexploitation Attack (rethinksecurity.io)
37 points by joebasirico 14 days ago | hide | past | web | favorite | 18 comments

> Keep sensitive data off of shared systems, use a strong password and Two Factor Authentication, keep your systems up to date, and be thoughtful about the trust you put into where you upload your data.

Also be thoughtful about the trust you put into who you share any data with (especially photos) and be conscious about who can see it (this is a big deal on social media, where privacy and visibility permissions aren’t easily understood or used by people). Unless you’re a celebrity (and sometimes even if you’re a celebrity), sensitive information could leak from anyone you’ve shared it with.

Absolutely, I should have made this clearer in the article. There have been many breaches in the past and the more places you put your sensitive data the more likely it is to be lost!

Recent versions of Windows 10 have the Sandbox feature which gives you quick and easy access to a temporary VM that would let you safely open the attachment as described in this article. Obviously not as secure as Kali Linux, but more usable to most people than spinning up a Kali VM.

So a whole lot of nothing. They pulled a list and loaded an email campaign. I wonder who is actually paying up here. Nice to learn about some tools that I was not familiar with though.

Yea, I'm glad it turned out to be nothing. I was pretty concerned to see my valid credentials in the subject line. The PDF was reasonably convincing, and very threatening. It got me thinking about things like "this can't be real, right? but what if it is? Should I just pay it to make it go away?" I figured if I was thinking those thoughts others might, so it was worth the investigation. Thanks for reading!!

I didn't think PDF files could contain executable code.

Are PDFs as attack vectors common?

Exploits for media format handling code often just use memory safety bugs to get code execution. It can and does happen with simpler formsts too, eg image and video formats.

Adobe acrobat is infamous for being infested with vulnerabilities.

(But yes, PDFs support scripting)

The PDF spec includes a full on (but slightly different) version of JavaScript tragically enough.

> I didn't think PDF files could contain executable code.

Sadly this is how most attacks against {file formats, protocols, standards} work.

  - Lots of parts of the Unicode spec (LTR/RTL swap, phishing attacks with homographs)
  - Interpretation of character set by browser+server
  - XML External Entities to do XXE
  - YAML references to create YAMLBombs
  - Zip massive compression ratios to create ZIP bombs
  - JWT where user assigns no encryption algorithm
  - PHP accepting URLs from user then piping them to PHP filters
  - file upload with polymorphic files
  - file upload where filename suffix doesn't match magic bytes

> Are PDFs as attack vectors common?

This is not news. PDF-based attacks against Acrobat / Acrobat Reader, FoxIt, etc have been common for over a decade.

> Files based on Reader were exploited in almost 49 per cent of the targeted attacks of 2009[1]

> According to a newly released report by Symantec's MessageLabs, malicious PDF files outpace the distribution of related malicious attachments used in targeted attacks.[2] (2011)

> JavaScript and XFA Forms / Adobe LifeCycle[3]

[1] https://www.schneier.com/blog/archives/2010/03/pdf_the_most_...

[2] https://www.zdnet.com/article/report-malicious-pdf-files-bec...

[3] https://www.sentinelone.com/blog/malicious-pdfs-revealing-te...

I think it wasn't so much the normal text content of the PDF itself, but, attackers targeted specific media features of PDF readers that would open files or attachments within or linked from the PDF. Image attachments, etc.

Fun times: https://www.cvedetails.com/vulnerability-list/vendor_id-53/p...

PDF is postscript + other stuff. And postscript is turning complete.

Brainfuck is also turing complete, but it's not Tetris complete. That's a very important distinction for possible attack vectors.

PDFs on the other hand are tetris complete.

There seems to be an accessibility issue with this link. I do get an essentially empty page in Firefox and Chrome when I try to read this with a screen reader. Opening the same page with lynx also gives me an empty page (no surprise there), and skimming through the page source, the HTML/CSS/JS contains far too much obscure stuff to actually trust this page.

“international hacker negotiator” Seems an interesting and trendy job

tl;dr: they got one of these spam email that you’ll find a dozen of in your spam box, made up a bunch of “potential” bad things that could happen but none of that happened and the spammer just wanted bitcoins.

TL;DR+= they put the message body in an encrypted PDF to evade keyword-based spam filters


This is literally the entire article on mobile safari

EDIT: purify ad-blocker caused the issue

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact