- A new phishing campaign is targeting businesses and individuals in over 50 countries
- Experts warn attackers are hiding malicious links in PDFs using a never-before-seen obfuscation technique
- Use the best antivirus software and activate advanced mobile threat defense solutions
PDF files, long considered a safe and reliable way to share documents, are now being weaponized by cybercriminals in a sophisticated phishing campaign targeting mobile users.
New research from Zimperium’s zLabs team claims this new threat involves malicious PDFs delivered via SMS messages whose senders impersonate the United States Postal Service (USPS).
Attackers are using advanced techniques to hide malicious links within the files, exploiting the trust users place in the format to steal sensitive data.
Why mobile users are vulnerable
This campaign reportedly targets organizations and individuals in over 50 countries with over 20 malicious PDF files and 630 phishing pages identified so far.
Attacks commence once the victim clicks on the malicious link hidden in the PDF; usually containing requests for personal information, including names, addresses, and credit card details.
Mobile devices are considered especially vulnerable to this type of attack because, on smaller screens, users have limited visibility into file contents before opening them.
Malicious links in these PDFs are even more difficult to detect than usual, because the attackers aren’t using the standard /URI tag to embed links, allowing the malicious content to evade detection by traditional endpoint security software.
“Although USPS has no involvement, cybercriminals exploit its trusted name to mislead and target users,” said Nico Chiaraviglio, Zimperium zLabs’ Chief Scientist.
“This campaign shows the growing sophistication and continued rise of mishing attacks, emphasizing the need for proactive mobile security measures,” he added.
How to protect yourself
One of the most effective ways to stay ahead of this type of attack is to verify the sender’s details, and the metadata of any attachment you open; even more important measures to take as business email attacks are becoming a bigger threat than ever for businesses.
You may also want to avoid clicking on links embedded in PDFs or SMS messages. Instead, navigate directly to the official website or use the organization’s mobile app.
Furthermore, to stay safe from malware on mobile devices, ensure you’re using the best Android antivirus or best iPhone antivirus software.
