A group of academics from the University of Bochum in Germany discovered a way to fake PDF content. They call it Shadow Attack and 15 out of 28 computer PDF readers are vulnerable.
Among the applications that may be victims are Adobe Acrobat Pro, Adobe Acrobat Reader, Foxit Reader and PDFelement, among others.
According to ZDNet, the counterfeiting technique is supported by the concept of “layers of sight”. These are different sets of content that overlap one another in a PDF document.
What is Shadow Attack and how does it alter PDF material?
The Shadow Attack – Shadow Attack, in Spanish – is when the victimizer prepares a document with several layers and sends it to a victim. The recipient digitally signs the document with a benign layer on top. However, when the victimizer receives it, they change the visible layer with another.
The cryptographic signature is not broken and allows the attacker to use the legally binding document for criminal actions.
Among them, changing the recipient of the payment or the sum in a PDF payment order, according to ZDNet.
Variants of the Shadow Attack
According to the Bochum University research team, there are three variants of the Shadow Attack.
- Hide, which is when perpetrators use the PDF incremental update feature to hide a layer. It is not replaced.
- Replace, which consists of using the Interactive Forms function of the PDF to replace the original with a modified value.
- Hide and replace, which is when attackers use a second PDF document contained in the original and then replace it entirely.
How to protect yourself from counterfeiters?
German researchers contacted the creators of PDF applications to determine security measures.
Already in 2019, the Bochum University team destroyed another counterfeiting mechanism.