- Velocità vs lentezza: ecco quale sarà il reale impatto dei tempi di adozione dell’AI
- Introducing Personal Data Cleanup | McAfee Blog
- OpenAI's Sora generates 10 videos per second and here are the top 5 cities
- AI-powered automation set for gains in 2025
- Verizon brings AI suite to enterprise infrastructure customers
New Phishing Campaign Targets Mobile Devices with Malicious PDFs
A newly uncovered phishing campaign is targeting mobile users with advanced social engineering tactics and malicious PDF files designed to compromise sensitive data.
The campaign, which impersonates the United States Postal Service (USPS), employs a never-before-seen obfuscation technique to deliver its malicious payload.
Breaking Down the Campaign
Identified by Researchers at Zimperium, the campaign uses SMS messages to spread a malicious PDF file containing a suspicious link. This link redirects users to a fake website designed to harvest sensitive information. The PDF file itself has a complex structure, comprising a header, body, cross-reference table and trailer. Notably, it embeds clickable links without using the standard /URI tag, making analysis more difficult.
The campaign’s novel obfuscation method involves inserting an XObject into the written URL, creating the appearance of a clickable button. This tactic is effective in certain PDF viewers, such as Chrome and macOS Preview, but may not work in others. When users click the “Click Update” button, they are redirected to a phishing webpage presenting a USPS delivery issue. The webpage prompts users to provide personal details, which are then encrypted and transmitted to a malicious command-and-control (C2) server.
Key Findings
- Over 20 malicious PDF files and 630 phishing pages were discovered, indicating a large-scale operation
- The campaign uses a complex and previously unseen technique to hide clickable elements
- The malicious infrastructure has the potential to impact organizations across more than 50 countries
“[These figures] show how threat actors capitalize on users’ trust in official-looking communications on mobile devices,” said SlashNext field CTO, Stephen Kowski.
“While organizations have robust email security, the critical tension between Finance, HR and Technology teams around mobile devices has created a significant and dangerous gap in protection, leading to under investment in web and mobile messaging security despite these becoming primary attack vectors.”
Read more on mobile phishing security threats: 82% of Phishing Sites Now Target Mobile Devices
How to Defend Against Phishing
This campaign thus highlights the need for robust mobile threat defense mechanisms, particularly on-device scanning. Enterprises face significant risks from data breaches, credential theft and compromised workflows via seemingly harmless PDF files.
“Organizations must adopt a layered security approach to combat such attacks. Employee education is vital for raising awareness about phishing attempts, teaching users to verify sender details, avoid clicking on suspicious links and independently confirm shipping information by navigating to official channels like the USPS website or app directly,” commented Keeper Security CEO, Darren Guccione.
“Implementing multi-factor authentication (MFA) adds a critical barrier to prevent unauthorized access even if credentials are compromised. Zero-trust security frameworks with privileged access management (PAM) solutions further mitigate risks by restricting access to sensitive systems, ensuring only authorized users can interact with critical data.
Image credit: Poetra.RH/Your Hand Please/Shutterstock
