Beware of the TOAD, that’s the advice from Cisco Talos, a well-respected threat intelligence research team in the world of cybersecurity and business alike. The TOAD in question is a Telephone-Oriented Attack Delivery threat. I know all about these, having been targeted very recently by just such an attack. You might want to simply dump a TOAD attack into the phishing bucket along with everything else. Still, it’s worth separating out to understand the methodology employed, as it could just save your Microsoft, PayPal or Geek Squad accounts. The Cisco Talos report, based on an analysis of emails between May 5 and June 5, found those brands were among the most impersonated, and revealed that attackers were delivering malicious PDF attachments to victims in TOAD emails. Here’s what you need to know and do.
Malicious PDF Document TOAD Attacks — Do Not Open That File
“A significant portion of email threats with PDF payloads persuade victims to call adversary-controlled phone numbers,” Omid Mirzaei, security research lead in the email threat research team at Cisco Talos, said in the July 2 report. This is because PDFs, or portable document format, if you want to be more formal, files can be created from other applications and then rendered by other reader applications. This has meant it has become a prime method of distributing documents, and a weapon in the arsenal of those who would attack you. “In recent months,” Mirzaei said, “it has also been exploited for illegitimate purposes, such as brand impersonation.”
According to research carried out by Mirzaei and the Cisco Talos team, a significant portion of email threats with a PDF payload are of the TOAD variety. “Victims are instructed to call a specific number in the PDF to resolve an issue or confirm a transaction,” Mirzaei warned.
“TOADs are nothing new, but their resurgence recently has been notable,” Lucy Finlay, director of secure behaviour and analytics at Redflags from ThinkCyber, said. “This evolution is accelerated by the use of AI to identify legitimate login URLs of well-known brands that are vulnerable to takeover and imitation,” Finlay continued, concluding that it’s “extremely hard for the victim to use traditionally taught security awareness techniques to detect the scam.”
But the message is clear, given that attack flows have been spotted very recently, you should avoid opening or responding to, by clicking links or taking advice from unexpected telephone calls, any PDF documents claiming to be from Microsoft, PayPal or Geek Squad in particular, or any well-known brand more generally. “This is why security training needs to be integrated into daily workflows,” Finlay said, “and nudging at the point of risk is an effective way to do this.” If a user receives an email from an address that looks extremely plausible, what with it purporting to be from a known brand, and contains a link or attachment, “a nudge on these elements to urge caution may be enough to stop the victim from going on to respond to the attempt,” Finlay concluded.
Here’s where you can get more advice on how to protect yourself from such attacks, provided by Microsoft, PayPal and Geek Squad, including scams beyond the PDF file attacks covered in the Cisco Talos report.
