Warning issued for protection against fake websites and PDFs

Pakistan's National Computer Emergency Response Team (National CERT) issued a notice regarding a phishing scheme that incorporates fake CAPTCHA images inside PDF files to deploy the Lumma Stealer malware. 

The campaign’s attack, which breached thousands of users, was expected to impact people that work under the industries of technology, financial services, and manufacturing-the majority being from North America, Asia and Southern Europe. National CERT reported that cybercriminals were searching the internet to embed malware into PDF documents using search engines.

The documents had misleading CAPTCHA images that tricked users to press a button which took them to phishing webpages.

The webpages would either steal sensitive financial information, or deploy the Lumma Stealer malware.

The attackers put these pdfs on PDFCOFFEE, PDF4PRO, and Internet Archive because these websites look trustworthy in search engines. PDF documents are not the only way attackers deploy Lumma Stealer, which is a Malware-as-a-Service (MaaS) tool.

 The advisory reported that Lumma Stealer can also take away sensitive credentials like user passwords, login details, browser cookies, and even cryptocurrency wallet information.

GhostSocks—yeah, that’s what they threw into the mix. This sneaky proxy tool, basically, hijacked folks’ internet connections in ways that, well, you wouldn’t really expect. It’s kind of wild when you think about it.

Then there were all these stolen credentials, like login details and whatnot, ending up for sale on underground forums—seriously, even places like Leaky[.]pro. And oh boy, a whole bunch of dodgy domains were linked to the scheme: pdf-freefiles[.]com, webflow-docs[.]info, secure-pdfread[.]site, plus docsviewing[.]net. It’s just a mess sometimes.

National CERT—those experts on security—pushed for a slew of urgent measures to tone down the risk from these attacks. They weren't messing about, you know?

Organizations got the word to start schooling their staff about phishing dangers (because let’s face it, many folks are still in the dark), ramp up their endpoint defenses with some high-tech tools, and even to clamp down on risky software like PowerShell and MSHTA—if you ask me, that seems pretty spot on.

They also urged everyone to block off those nefarious domains, switch on PowerShell logging (which, admittedly, can be a bit of a pain to set up), and get multi-factor authentication rolling—MFA isn’t just a fancy add-on; it’s pretty much a must-have these days.

And then, keeping an eye on search engine results for bogus domains that try to pass themselves off as genuine services turned out to be absolutely crucial. I mean, you really don’t want to miss any red flags that might pop up unexpectedly.