This morning, I received an interesting phishing email. I\u2019ve a \u201clove & hate\u201d relation with such emails because I always have the impression to lose time when reviewing them but sometimes it\u2019s a win because you spot interesting \u201cTTPs\u201d (\u201ctools, techniques &\u00a0 procedures\u201d). Maybe one day, I’ll try to automate this process!<\/p>\n
Today’s\u00a0email targets Metamask[1<\/a>] users. It\u2019s a popular software crypto wallet available as a browser extension and mobile app. The mail asks the victim to enable 2FA:<\/p>\n The link points to an AWS server:\u00a0hxxps:\/\/access-authority-2fa7abff0e[.]s3.us-east-1[.]amazonaws[.]com\/index.html<\/p>\n But it you look carefully at the screenshots, you see that there is a file attached to the message: \u201cSecurity_Reports.pdf\u201d. It contains a fake security incident report about an unusual login activity:<\/p>\n The goal is simple: To make the victim scary and ready to \u201cincrease\u201d his\/her security by enabled 2FA.<\/p>\n I had a look at the PDF content. It\u2019s not malicious. Interesting, it has been generated through ReportLab[2<\/a>], an online service that allows you to create nice PDF documents!<\/p>\n They also provide a Python library to create documents:<\/p>\n The PDF file is the SHA256 hash\u00a02486253ddc186e9f4a061670765ad0730c8945164a3fc83d7b22963950d6dcd1.<\/p>\n Besides the idea to use a fake incident report, this campaign remains at a low quality level because the “From” is not spoofed, the PDF is not “branded” with at least the victim’s email. If you can automate the creation of a PDF file, why not customize it?<\/p>\n [1] https:\/\/metamask.io<\/a> Xavier Mertens (@xme) (c) SANS Internet Storm Center. https:\/\/isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.<\/p><\/div>\n \t![\"\"](\"https:\/\/i0.wp.com\/isc.sans.edu\/diaryimages\/images\/isc-20260217-1.png?ssl=1\")
<\/p>\n![\"\"](\"https:\/\/i0.wp.com\/isc.sans.edu\/diaryimages\/images\/isc-20260217-2.png?ssl=1\")
<\/p>\n\n6 0 obj\n<<\n\/Author ((anonymous)) \/CreationDate (D:20260211234209+00'00') \/Creator ((unspecified)) \/Keywords () \/ModDate (D:20260211234209+00'00') \/Producer (ReportLab PDF Library - www.reportlab.com)\n \/Subject ((unspecified)) \/Title ((anonymous)) \/Trapped \/False\n>>\nendobj<\/pre>\n
\npip install reportlab<\/pre>\n
\n\u200b\u200b\u200b\u200b\u200b\u200b\u200b[2] http:\/\/www.reportlab.com<\/a><\/p>\n
\nXameco
\nSenior ISC Handler – Freelance Cyber Security Consultant
\nPGP Key<\/a><\/p>\n
\n
<\/BR><\/p>\n