Blog

On Wednesday, August 14, 2024, Citizen Lab and Access Now issued a warning about spear-phishing attacks that are using ‘encrypted’ and ‘secured’ PDF files to lure victims to phishing sites. These sites aim to steal login credentials for Proton and Google accounts.

According to these organizations, the attacks have been carried out by two groups named Coldriver and Coldwastrel. The former group, Coldriver, has been linked to the Russian secret service FSB. The attacks primarily target civil society organizations and international NGOs.

The attackers send emails that appear to come from people the targets know, using email addresses that differ by only one character. These emails include a PDF file that, when opened, claims that the content requires a login to be viewed. The PDF file then contains a link that directs the victim to the phishing page.

Researchers from Citizen Lab and Access Now emphasize the importance of being cautious with ‘encrypted’ and ‘secured’ PDF files. They also advise the ‘proper use’ of two-factor authentication (2FA). Some victims had 2FA enabled but were still tricked into entering their 2FA codes.

Particularly, the use of SMS-based 2FA is considered risky. The researchers recommend using security keys and passkeys as safer 2FA methods.

Visit the citizenlab article for more information.