Threat Research

The Season of Back to School Scams | McAfee Blog

McAfee

McAfee Labs analyzed a PDF campaign that used a fake CAPTCHA on the first page to lure users into clicking a link which redirected through multiple domains to malicious sites that set cookies, tracked user behavior, and exfiltrated interaction data. The campaign used at least 13 domains (mostly Russian) registered in 2020–2021 and hosted behind Cloudflare to mask infrastructure. #McAfeeLabs #traffine_ru

Keypoints

  • Malicious PDFs contained a fake CAPTCHA on page one that redirected users when clicked, while page two displayed legitimate-looking back-to-school content to avoid detection.
  • The click on the fake CAPTCHA led to a URL with an “all hallows prep school uniform” string and proceeded through multiple redirections to reach malicious landing sites.
  • The landing sites set cookies, monitored user behavior, and collected interaction data, sending it to operator-controlled servers.
  • Researchers identified 13 domains involved in the campaign—11 Russian and 2 South African—created in 2020–2021 and using Cloudflare name servers.
  • Geographical targeting was global, with the United States and India among the top affected countries.
  • Three malicious PDF file hashes were reported and a domain list was published as Indicators of Compromise for detection and blocking.

MITRE Techniques

  • [T1566.001] Spearphishing Attachment – The PDF campaign featured a fake CAPTCHA on the first page to lure users into clicking a link. [ ‘The PDF campaign used a fake CAPTCHA on the first page to lure users into clicking a link.’ ]
  • [T1204] User Execution – The flow relies on user action to click the link, enabling the redirects. [ ‘when clicked’ ]
  • [T1071.001] Web Protocols – Redirected through multiple domains to reach malicious landing sites. [ ‘redirected through multiple domains to reach malicious landing sites’ ]
  • [T1564.001] Hide Artifacts – Cloudflare masking of the infrastructure; all domains were created using Cloudflare name servers. [ ‘use Cloudflare’s name servers’ ]
  • [T1036] Masquerading – The PDF’s second page was designed to appear legitimate to users and scanners. [ ‘designed to appear legitimate to users and spam and security scanners.’ ]
  • [T1041] Exfiltration Over C2 Channel – The malicious site sets cookies, tracks user behavior, and exfiltrates interaction data to operator-controlled servers. [ ‘sets cookies, monitors user behavior, and collects interactions, sending the data to servers owned by the domain’s operators.’ ]

Indicators of Compromise

  • [File hash] Malicious PDF samples – 474987c34461cb4bd05b81d040cae468ca5b88e891da4d944191aa819a86ff21, 426ad19eb929d0214254340f3809648cfb0ee612c8374748687f5c119ab1a238, and 1 more hash
  • [Domain] Redirect and tracking infrastructure – traffine[.]ru, getpdf[.]pw, and 11 more domains

Read more: https://www.mcafee.com/blogs/other-blogs/mcafee-labs/the-season-of-back-to-school-scams/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint