Tracking PDF Usage Poses a Security Problem

Update on May 2

Adobe has confirmed this vulnerability and has scheduled a patch release for May 14.


Looking back this year’s RSA Conference, you might have the feeling that the current threat landscape is primarily a series of advanced attacks. This concept includes well-known advanced persistent threats (APTs) and zero-day vulnerability exploits. To respond to this trend in threats, McAfee Labs has launched several innovative projects, one of which we call the advanced exploit detection system (AEDS). The AEDS is based on our in-depth understanding of application security, which comes from our long-term cutting-edge research efforts. We have already seen some interesting results that reflect the effectiveness of the project.

Recently, we detected some unusual PDF samples. After some investigation, we successfully identified that the samples are exploiting an unpatched security issue in every version of Adobe Reader including the latest “sandboxed” Reader XI (11.0.2). Although the issue is not a serious problem (such as allowing code execution), it does let people track the usage of a PDF. Specifically, it allows the sender to see when and where the PDF is opened.

The vulnerability

When a specific PDF JavaScript API is called with the first parameter having a UNC-located resource, Adobe Reader will access that UNC resource. However, this action is normally blocked and creates a warning dialog asking for permission, such as we see below:


The danger is that if the second parameter is provided with a special value, it changes the API’s behavior. In this situation, if the UNC resource exists, we see the warning dialog. However, if the UNC resource does not exist, the warning dialog will not appear even though the TCP traffic has already gone.

The following screen capture shows the outgoing traffic:


How does this affect users?

Is this a serious problem? No, we don’t want to overvalue the issue. However, we do consider this issue a security vulnerability. Considering this, we have reported the issue to Adobe and we are waiting for their confirmation and a future patch. We are also hiding the key details of the vulnerability to protect Reader users. We may update this post at some point after we see a patch from Adobe.

Some people might leverage this issue just out of curiosity to know who has opened their PDF documents, but others won’t stop there. An APT attack usually consists of several sophisticated steps. The first step is often collecting information from the victim; this issue opens the door. Malicious senders could exploit this vulnerability to collect sensitive information such as IP address, Internet service provider, or even the victim’s computing routine. In addition, our analysis suggests that more information could be collected by calling various PDF JavaScript APIs. For example, the document’s location on the system could be obtained by calling the JavaScript “this.path” value.

Who is exploiting this issue?

We have detected some PDF samples in the wild that are exploiting this issue. Our investigation shows that the samples were made and delivered by an “email tracking service” provider. We don’t know whether the issue has been abused for illegal or APT attacks.

Conclusion and protection

This interesting case highlights the point that privacy protection is a part of security. It shows that we can form different opinions depending on our goals (such as security protection vs. email tracking service).

This case also demonstrates that we need to constantly explore methods of detection because these examples won’t trigger memory corruption or code execution. Some of the most advanced detection technologies in the industry failed to detect them. We are happy to see that our AEDS is filling the gap.

Until Adobe creates a patch, Reader users should consider disabling JavaScript in Reader.


Thanks to my colleagues Bing Sun, Xiaobo Chen, and Chong Xu for their help with this investigation.

Fraudsters Continue to Show Interest in Football

Contributor: Avhdoot Patil

Phishers have recently gained a lot of interest in football. Various phishing attacks using football were observed in 2012. Phishers have already shown their interest in the 2014 FIFA World Cup, football celebrities, and football clubs. Scam for LIONEL MESSI Fans and Scam for FC Barcelona are good examples of phishers using football celebrities and football clubs. Fraudsters understand that choosing celebrities with a huge fan base offers the largest amount of targets which could increase their chances of harvesting user credentials. In April 2013, the trend continued with phishers using the same strategy. The phishing sites were in French on a free web hosting site.

The phishing sites prompted users to enter their Facebook login credentials on pages designed to highlight Lionel Messi, FC Barcelona, or Cristiano Ronaldo. The phishing pages contained images of Lionel Messi, FC Barcelona, or Cristiano Ronaldo and tried to create the false impression that they were the official Facebook page for either Messi, FC Barcelona, or Ronaldo. Some of the fake sites were titled, “first social networking site in the world”. Users were prompted to enter their Facebook login credentials in order to connect to the Facebook page. After a user's login credentials have been entered, users are redirected to a legitimate Lionel Messi, FC Barcelona, or Cristiano Ronaldo community page to create the illusion of a valid login. If users fell victim to the phishing site by entering their login credentials, phishers would have successfully stolen their information for identity theft purposes.

Fraudsters Repeatedly 1.jpeg

Figure 1. Fake Facebook phishing page featuring Lionel Messi

Fraudsters Repeatedly 2.jpeg

Figure 2. Fake Facebook phishing page featuring FC Barcelona

Fraudsters Repeatedly 3.jpeg

Figure 3. Fake Facebook phishing page featuring Cristiano Ronaldo

Internet users are advised to follow best practices to avoid phishing attacks:

  • Do not click on suspicious links in email messages
  • Do not provide any personal information when answering an email
  • Do not enter personal information in a pop-up page or screen
  • Ensure the website is encrypted with an SSL certificate by looking for the padlock, “https”, or the green address bar when entering personal or financial information
  • Use comprehensive security software such as Norton Internet Security or Norton 360, which protects you from phishing scams and social network scams
  • Exercise caution when clicking on enticing links sent through email or posted on social networks
  • Report fake websites and email (for Facebook, send phishing complaints to [email protected])

Police arrest suspect accused of “unprecedented” DDoS attack on Spamhaus

Spanish authorities have arrested a 35-year-old Dutchman they say is "suspected of unprecedented heavy attacks" on Spamhaus, the international group that helps network owners around the world block spam.

A press release (English translation here) issued by the Dutch Public Prosecutor Service identified the suspect only by the initials SK and said he was living in Barcelona. A variety of circumstantial evidence, mostly taken from this Facebook profile, strongly suggests the suspect is one Sven Olaf Kamphuis. He's the man quoted in a March 26 New York Times article saying a Dutch hosting company called CyberBunker, which Kamphuis is affiliated with, was behind distributed denial-of-service attacks aimed at Spamhaus. Kamphuis later denied he or CyberBunker had anything to do with the attacks.

With peaks of 300 gigabits per second, the March attacks were among the biggest ever recorded. Besides their size, they were also notable because they attacked the London Internet Exchange, a regional hub where multiple networks from different service providers connect. As Ars writer Peter Bright explained, the size and technique threatened to clog up the Internet's core infrastructure and make access to the rest of the Internet slow or impossible. While some critics said that assessment was overblown, Bright provided this follow-up explaining why the attacks had the potential to break key parts of the Internet.

Read 2 remaining paragraphs | Comments

Rise of .pw URLs in Spam Messages

Symantec has observed an increase in spam messages containing .pw top-level domain (TLD) URLs.  While it was originally a country code top-level domain for Palau, it is now available to the general public through Directi, who branded it as “Professional Web”.

pw tld blog 1.png

Figure 1. .pw TLD URL spam message increase

Looking back at the last 90 days, .pw ranked #16 on our TLD distribution list:

pw tld blog 2_0.png

Figure 2. TLD distribution list - last 90 days

However, the .pw URL jumps to the fourth spot when looking at the last 7 days:

pw tld blog 3.png

Figure 3. TLD distribution list - last 7 days

Examining messages found in the Global Intelligence Network, Symantec researchers have found that the vast majority of spam messages containing .pw URLs are hit-and-run (also known as snowshoe) spam. 

These are the top ten subject lines from .pw URL spam over the last two days:

  • Subject: How to sell your Timeshare
  • Subject: Reusable K Cup for Keurig or single-brew coffee maker
  • Subject: Reusable single-brew coffee cup you can fill with your coffee blend.
  • Subject: Are your home possessions covered in case of a  catastrophe?
  • Subject: Elmo's Learning Adventure Gift Package
  • Subject: Make Learning Fun - With Elmo & the Sesame Street Gang!
  • Subject: Are your appliances and home systems covered?
  • Subject: Refinance Today, Save Tomorrow
  • Subject: Nothing is more EFFECTIVE for High Blood Pressure
  • Subject: Mortgage Rates

pw tld blog 4.png

Figure 4. .pw URL spam message example

Symantec will continue to monitor this trend and create additional filters to target these attacks.  In addition, Symantec also advises enterprises and consumers to adopt the best practices found in the Symantec Intelligence Report.