Phishing Campaign Uses Adobe Target to Harvest LinkedIn Credentials via Fake PDF Attachments
What Happened — Cybercriminals are sending LinkedIn‑style business‑inquiry emails that contain a malicious “contract.pdf.html” attachment. The attachment runs obfuscated JavaScript that displays a fake LinkedIn login form, captures the victim’s credentials, and forwards them to a Russian‑hosted PHP endpoint. The campaign abuses an Adobe Target domain (lnkd.tt.omtrdc.net) as a redirect/track point before sending the victim to the real LinkedIn site.
Why It Matters for TPRM —
- Credential theft from business partners can lead to downstream supply‑chain compromises.
- Abuse of a legitimate SaaS provider (Adobe) as a tracking hub makes detection harder for downstream vendors.
- The technique is cheap, scalable, and likely to appear in multiple industries that rely on LinkedIn for outreach.
Who Is Affected — Professional services, recruitment firms, B2B SaaS vendors, and any organization whose employees receive unsolicited LinkedIn‑style emails.
Recommended Actions —
- Update email gateway rules to block double‑extension files (e.g., *.pdf.html).
- Enforce MFA on all LinkedIn and corporate accounts.
- Monitor outbound traffic for unexpected POSTs to unknown .ru domains.
- Conduct phishing‑awareness training focusing on “PDF asks for password” scenarios.
Technical Notes — Attack vector: phishing email with malicious HTML attachment. The script uses URL‑encoding and Base64 obfuscation, then posts AA (hard‑coded email) and BB (entered password) to http://a1263367.xsph.ru/taam/Ln.php. Adobe Target’s domain is leveraged only as a redirect/track point, not as the data‑exfil endpoint. Source: Malwarebytes Labs