Phishing attacks operating under the guise of security or compliance notifications are old hat for threat actors. Mostly because it has been a tactic that piques interest on behalf of the recipient and has brought them some success in the past. This recent attack looked to exploit trust and adherence to PCI compliance. 

As most businesses that accept credit and debit card payments know, the payment card industry data security standards (PCI DSS) council creates the standards for security of the industry. A threat actor recently was purporting to be the risk department for PCI DSS. They stated that an attached “Know Your Customer” verification PDF file would need to be completed and returned to an address at pcidssa.]cc. However, this is an address under the actors’ control and not the official PCI DSS domain or any address associated with the legitimate standards council.

Viewing the attached pdf, we see the attacker was after the business and financial information of the recipients. The attachment itself did not contain malware nor display any malicious activity in our test environment. However, if completed and returned would provide the attacker with the address, merchant ID, and bank routing/account numbers and this should be enough to enable the attackers to commit financial fraud against the target.