Millions at risk as malicious PDF files designed to steal your data are flooding SMS inboxes - how to stay safe

(Image credit: Shutterstock / Neirfy)

A new phishing campaign is targeting businesses and individuals in over 50 countries
Experts warn attackers are hiding malicious links in PDFs using a never-before-seen obfuscation technique
Use the best antivirus software and activate advanced mobile threat defense solutions

PDF files, long considered a safe and reliable way to share documents, are now being weaponized by cybercriminals in a sophisticated phishing campaign targeting mobile users.

New research from Zimperium’s zLabs team claims this new threat involves malicious PDFs delivered via SMS messages whose senders impersonate the United States Postal Service (USPS).

Attackers are using advanced techniques to hide malicious links within the files, exploiting the trust users place in the format to steal sensitive data.

Why mobile users are vulnerable

This campaign reportedly targets organizations and individuals in over 50 countries with over 20 malicious PDF files and 630 phishing pages identified so far.

Attacks commence once the victim clicks on the malicious link hidden in the PDF; usually containing requests for personal information, including names, addresses, and credit card details.

Mobile devices are considered especially vulnerable to this type of attack because, on smaller screens, users have limited visibility into file contents before opening them.

Malicious links in these PDFs are even more difficult to detect than usual, because the attackers aren't using the standard /URI tag to embed links, allowing the malicious content to evade detection by traditional endpoint security software.

“Although USPS has no involvement, cybercriminals exploit its trusted name to mislead and target users,” said Nico Chiaraviglio, Zimperium zLabs' Chief Scientist.

“This campaign shows the growing sophistication and continued rise of mishing attacks, emphasizing the need for proactive mobile security measures,” he added.

How to protect yourself

One of the most effective ways to stay ahead of this type of attack is to verify the sender’s details, and the metadata of any attachment you open; even more important measures to take as business email attacks are becoming a bigger threat than ever for businesses.

You may also want to avoid clicking on links embedded in PDFs or SMS messages. Instead, navigate directly to the official website or use the organization’s mobile app.

Furthermore, to stay safe from malware on mobile devices, ensure you’re using the best Android antivirus or best iPhone antivirus software.

Efosa has been writing about technology for over 7 years, initially driven by curiosity but now fueled by a strong passion for the field. He holds both a Master's and a PhD in sciences, which provided him with a solid foundation in analytical thinking. Efosa developed a keen interest in technology policy, specifically exploring the intersection of privacy, security, and politics. His research delves into how technological advancements influence regulatory frameworks and societal norms, particularly concerning data protection and cybersecurity. Upon joining TechRadar Pro, in addition to privacy and technology policy, he is also focused on B2B security products. Efosa can be contacted at this email: udinmwenefosa@gmail.com