In a newly discovered phishing campaign, malicious actors are using malicious PDF files to target mobile device users in potentially more than 50 countries.
Dubbed the “PDF Mishing Attack,” the campaign exploits the widespread trust in PDFs as a secure file format, revealing new vulnerabilities in mobile platforms.
The phishing operation masquerades as the United States Postal Service (USPS) to gain the trust of users and fool recipients into downloading the malicious PDFs. Once opened, the hidden links redirect victims to phishing pages that are designed to steal credentials.
Exploiting Humans
According to Zimperium’s zLabs team, who discovered the campaign, “PDFs are used extensively for contracts, reports, manuals, invoices, and other critical business communications. Their ability to incorporate text, images, hyperlinks, and digital signatures while maintaining integrity makes them ideal for enterprises prioritizing professionalism and compliance.”
Because PDFs are widely used and seen as ‘tamper-proof,’ people have developed an inherent, yet dangerous, trust in their safety. This is one example of how bad actors exploit natural human biases, using the false sense of security around PDFs to conduct sophisticated phishing campaigns.
Hidden in Plain Sight
zLabs’ researchers have been actively tracking the phishing campaign, which impersonates the United States Postal Service (USPS) and is exclusively targeting mobile devices. It has uncovered more than 20 malicious PDF files and 630 phishing pages.
According to the researchers: “This campaign employs sophisticated social engineering tactics and a never-before-seen means of obfuscation to deliver malicious PDF files designed to steal credentials and compromise sensitive data.”
The advanced evasion techniques conceal clickable malicious links within the PDF documents, effectively bypassing conventional endpoint security tools.
This attack specifically targets mobile device users, cashing in on the limited visibility mobile platforms provide when previewing file contents. Unlike desktop platforms, where PDFs are often opened with security overlays, mobile devices lack the same protections, exposing users to hidden threats.
On-Device Threat Detection
This latest attack highlights the need for better mobile threat defenses. While PDFs have long been considered safe for sharing and storing information, the fact is that they are not.
A report by HP Wolf Security revealed that PDF threats are on the rise, and while at one time cybercriminals mostly used PDF lures to steal credentials and financial information via phishing, there has been a shift, and an increase in malware distribution through PDFs, including strains like WikiLoader, Ursnif, and DarkGate.
Traditional endpoint security tools, often designed with desktop environments in mind, may fail to detect advanced attacks on mobile platforms, so Zimperium stresses the importance of on-device threat detection to identify and neutralize these scourges before they can cause harm.
A Multi-channel Threat
According to Stephen Kowski, Field CTO at SlashNext, we are seeing phishing evolve in real time beyond email into a sophisticated multi-channel threat, with malefactors using trusted brands like USPS, Royal Mail, La Poste, Deutsche Post, and Australian Post to exploit limited mobile device security worldwide.
“The discovery of over 20 malicious PDFs and 630 phishing pages targeting organizations across 50+ countries shows how threat actors capitalize on users’ trust in official-looking communications on mobile devices. While organizations have robust email security, the critical tension between finance, HR, and technology teams around mobile devices has created a significant and dangerous gap in protection, leading to underinvestment in web and mobile messaging security despite these becoming primary attack vectors.”
Kowski says firms need to expand their security strategies beyond email to include comprehensive protection for mobile messaging and web-based messaging threats.
A Layered Security Approach
Organizations must adopt a layered security approach to combat such attacks, says Darren Guccione, CEO and Co-Founder at Keeper Security. “Employee education is vital for raising awareness about phishing attempts, teaching users to verify sender details, avoid clicking on suspicious links, and independently confirm shipping information by navigating to official channels like the USPS website or app directly.”
Implementing Multi-Factor Authentication (MFA), says Guccione, adds a crucial barrier to prevent unauthorized access even should credentials be compromised. “Zero-trust security frameworks with Privileged Access Management (PAM) solutions further mitigate risks by restricting access to sensitive systems, ensuring only authorized users can interact with critical data.”
For mobile devices, deploying real-time mobile threat detection and ensuring devices and applications are updated with the latest security patches can proactively defend against threats, Guccione ends.
About the Author
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.
