- Zimperium research finds SMishing campaign leveraging carefully crafted PDF files
- The campaign is impersonating the USPS
- The goal of the campaign is to steal login credentials
Corporate email accounts may be under the watchful eye of different security solutions, but mobile devices aren’t enjoying the same level of protection, experts have warned, as criminals are devising advanced, complex mobile phishing attacks to steal valuable login credentials.
Cybersecurity researchers at Zimperium recently discovered a new campaign using a unique obfuscation technique – they would first build a PDF file, mimicking the United States Postal Service (USPS). The file’s structure is quite complex, the researchers said, as it has a header, body, cross-reference table, and a trailer. The link, which leads to a malicious landing page, is embedded without using the standard /URI tag, which makes detection and forensics somewhat more difficult.
The uniqueness of the attack is seen in the URL, which comes with an embedded XObject. This allows the crooks to turn it into a clickable button.
SMS messages and PDF files
The attack starts with an SMS message, instead of an email. This way, the threat actors are able to bypass any email security protections set up, but also presents two unique challenges: one – they need to know their victims’ phone numbers, and two – sending SMS messages in bulk is not as cheap, easy, or private, as sending emails.
In the SMS message, the attackers impersonate the USPS and, in the usual scamming fashion, warn the victims about a parcel. They share the link to the PDF, which then leads to a malicious landing page, where victims end up sharing their login credentials. This information is ultimately encrypted and relayed to the attacker-owned C2 server.
This campaign highlights the fact phishing attacks can happen anywhere, not just in email, and that businesses need to expand their training sessions to cover virtually all communications platforms in use today.