Email users warned of PDF risk

Security vendors have warned email users to be as vigilant about PDF attachments as they would for other file formats, after seeing a sharp rise in spam containing infected PDF files.

Email security vendor Messagelabs reported on Tuesday that PDFs made up 20 percent of image-based spam in July, up 10 percent from June. Image-based spam makes up around 22 percent of total spam, the company said.

MessageLabs believes attackers are using the PDF format because it more easily bypasses antivirus and anti-spam filters, and that users tend to trust the authenticity of a PDF over other types of documents, even if they don't recognise the sender.

"People have a mindset that the PDF is a locked document," said Andrew Antal, marketing director for MessageLabs. "Anybody can open and make changes to a Word or PowerPoint document sent over email. With a PDF there is a little more assurance that the file in unchangeable, and is thus in a safe state to receive."

Ed McNair, the chief executive of Marshal Software, says PDF spam is more difficult for an organisation to detect. In an interview with ZDNet.co.uk's sister site, ZDNet Australia, McNair said that spam messages can arrive as PDF email attachments. "Once opened it displays the spam message, whether that's a stock trading or an advert for some bogus health product. Organisations are finding it very hard to detect PDF spam at the moment, because it doesn't behave in a normal fashion," he said.

Antal said most security software solutions rely on detecting spam by searching for patterns within a message. "The filtering engines are far smarter when it comes to looking for patterns within Word, PowerPoint on Excel documents than PDFs," he said. "The algorithms are different."

While it is difficult for an attacker to embed any malware within a PDF file, the spam can present a risk nonetheless.

On most PDF spam captured so far, the malware doesn't sit within the PDF and can't be executed merely by opening the PDF. Instead, web links within the document point to compromised websites. A victim would have to not only open the PDF, but also click a link within it to risk infection.

"These links are often pointing to websites in which malware resides," Antal said. He said PDF spam shows that organisations need a layered defence to protect them against such threats — with security software deployed at the gateway, the client and the server.

ZDNet.co.uk's Tom Espiner contributed to this report.

Related Links:

• Go back to category Internet & Networks to read more reviews and articles.
• Go back to Software Magazine's main page.