Watch out, malicious PDF files are being used again in phishing attacks

Close up of a business person using a smartphone.

(Image credit: Pixabay)

Zimperium research finds SMishing campaign leveraging carefully crafted PDF files
The campaign is impersonating the USPS
The goal of the campaign is to steal login credentials

Corporate email accounts may be under the watchful eye of different security solutions, but mobile devices aren’t enjoying the same level of protection, experts have warned, as criminals are devising advanced, complex mobile phishing attacks to steal valuable login credentials.

Cybersecurity researchers at Zimperium recently discovered a new campaign using a unique obfuscation technique - they would first build a PDF file, mimicking the United States Postal Service (USPS). The file’s structure is quite complex, the researchers said, as it has a header, body, cross-reference table, and a trailer. The link, which leads to a malicious landing page, is embedded without using the standard /URI tag, which makes detection and forensics somewhat more difficult.

The uniqueness of the attack is seen in the URL, which comes with an embedded XObject. This allows the crooks to turn it into a clickable button.

SMS messages and PDF files

The attack starts with an SMS message, instead of an email. This way, the threat actors are able to bypass any email security protections set up, but also presents two unique challenges: one - they need to know their victims’ phone numbers, and two - sending SMS messages in bulk is not as cheap, easy, or private, as sending emails.

In the SMS message, the attackers impersonate the USPS and, in the usual scamming fashion, warn the victims about a parcel. They share the link to the PDF, which then leads to a malicious landing page, where victims end up sharing their login credentials. This information is ultimately encrypted and relayed to the attacker-owned C2 server.

This campaign highlights the fact phishing attacks can happen anywhere, not just in email, and that businesses need to expand their training sessions to cover virtually all communications platforms in use today.

Text spammers are getting creative and trying to play on your emotional needs – don't fall for it
Here's a list of the best firewalls around today
These are the best endpoint security tools right now

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.