Adobe’s InDesign exploited in new wave of phishing attacks

Hackers are getting creative, literally, by utilizing Adobe’s popular graphic design program, InDesign, to target corporations in the latest surge of phishing attacks, new research shows.

The bad actors are using the design program, which specializes in page layout and desktop publishing, to create fake but realistic emails stamped with the brand logos of known and trusted companies, according to the security research team at Barracuda.

In many cases, the attackers took the time to research the target victims, including both companies and individual users, before crafting the malicious emails.

Multiple employees from the same company were also found to have been simultaneously targeted.

Part of the Adobe Creative suite, InDesign is routinely used by graphic designers, journalists, marketers, and publishers, according to Adobe.

The trick emails would contain legitimate logos from other companies the victim already interacted or had regular dealings with, making the target more vulnerable to attack – a process called spear phishing.

The hackers are thought to have easy access to the branded logos by simply siphoning them directly off of other websites.

Additionally, generic emails featuring Adobe, One Drive and SharePoint logos were also used by the hackers for blanket distribution.

Barracuda InDesign Research Phishing 1
Phishing emails made with Adobe InDesign. Image by Barracuda.

Barracuda said the number of phishing emails carrying Adobe InDesign clickable links have increased dramatically this fall.

Since October, Barracuda telemetry showed “the daily count has jumped from around 75 per day to around 2,000 per day” – a massive increase of 30x, the company said.

The researchers found nearly one in ten of the observed emails contained active phishing links, while another 20% included removed content.

Some of the phishing emails appear flawless, others are easier to spot, containing just basic text , Barracuda said.

Barracuda InDesign Research Phishing 2
Phishing emails made with Adobe InDesign. Image by Barracuda.

“All the attacks are relatively straightforward and consistent in their approach, inviting the recipient to click on a link that will take them to another site.... but actually controlled by the attackers, for the next stage of the attack,” Barracuda said.

The attacker site that users are routed to is hosted on the indd.adobe[.]com sub domain (INDD stands for InDesign Document, the programs default file extension.)

Barracuda also noted a majority of the malicious links contain the top-level domain of “.ru.” and are hosted behind a content delivery network (CDN) that acts as a proxy for the source site.

“This helps to obscure the source of the content and makes it harder for security technologies to detect and block the attacks,” it said.

Researchers say the InDesign phishing emails are successful for several reasons.

Besides, the program’s ability to create “highly convincing social engineering attacks,” the attackers use “known and trusted domains” that are normally not blocked by a company’s network.

Furthermore, because the link is embedded in the design, “there is no known malicious URL link in the main body of the message for traditional security tools to detect and block,” Barracuda said.

Companies can protect themselves using a robust multilayered and AI-powered email security system, as well as conducting regular cybersecurity awareness training for employees, it said.

Last month, Check Point research found another hacking campaign exploiting Adobe products.

In those attacks, the bad actors would create an account in the Adobe Cloud Suite to send unsuspecting users an “Adobe” email with a malicious PDF attachment. Once clicked on, it leads the victim to a credential harvesting page.