An expansive phishing campaign aimed at mobile devices takes advantage of users’ trust of PDF files and the U.S. Postal Service (USPS) to steal credentials and sensitive information, according to researchers with mobile security firm Zimperium.
The bad actors make the malicious PDFs look like communications from the USPS that are sent via SMS text messages and use what the researchers called in a report Monday a “never-before-seen means of obfuscation” to help them bypass traditional security controls. They embed the malicious links in the PDF, essentially hiding them from endpoint security solutions.
“This strategy highlights the evolving tactics of cybercriminals, who exploit both trusted file formats and advanced evasion methods to deceive users and compromise their data,” Zimperium malware analyst Fernando Ortega wrote.
The phishing attacks are part of a larger and growing trend of what Zimperium calls “mishing,” an umbrella word for campaigns that use email, text messages, voice calls, or QR codes that exploit such weaknesses as unsafe user behavior and minimal security on many mobile devices to infiltrate corporate networks and steal information.