Attackers impersonating the US Postal Service (USPS) are striking again, this time in a widescale mobile phishing campaign that taps people’s trust in PDF files. This time it uses a novel evasion tactic to steal credentials and compromise sensitive data in SMS phishing (smishing) attacks.
Discovered by researchers at Zimperium zLabs, the smishing campaign uses malicious SMS messages informing people that their package can’t be delivered because of “incomplete address information,” they revealed in a blog post published Jan. 27. The messages direct people to click on a PDF file that contains a malicious phishing link, leading them to a landing page that asks them to provide personal details, including name, address, email, and phone number. A further redirection collects people’s payment-card data, claiming to require service fees for successful delivery of the package.
“This tactic leverages the perception of PDFs as safe and trusted file formats, making recipients more likely to open them,” Zimperium researcher Fernando Ortega wrote in the post.
ZLabs researchers uncovered more than 630 phishing pages, 20 malicious PDF files, and a malicious infrastructure of landing pages related to the campaign, demonstrating a significant scale that potentially could impact organizations across more than 50 countries, he said.
Moreover, attackers use “a complex and previously unseen technique to hide clickable elements” of the campaign, making it difficult for most endpoint security solutions to properly analyze the hidden links and thus detect the threat, Ortega wrote.
“This strategy highlights the evolving tactics of cybercriminals, who exploit both trusted file formats and advanced evasion methods to deceive users and compromise their data,” he wrote.
Manipulating PDFs to Escape Detection
Attackers use their knowledge of the back-end composition of PDF files to create a novel evasion tactic that makes the malicious campaign harder for automated security systems to detect as suspicious, the researchers found.
In PDF files, links are typically represented using the /URI tag, which is part of an Action Dictionary object, specifically within a Go-To-URI action, Ortega explained in the post. This instructs a PDF viewer to navigate to a uniform resource identifier (URI), which is usually a Web address (URL).
The PDFs used in this campaign embed clickable links without utilizing the standard /URI tag, “making it more challenging to extract URLs during analysis,” Ortega wrote.
“Our researchers verified that this method enabled known malicious URLs within PDF files to bypass detection by several endpoint security solutions,” he added. In contrast, these solutions detect the same URLs when the standard /URI tag was used.
“This highlights the effectiveness of this technique in obscuring malicious URLs,” Ortega explained.
Package-Themed Phishing Not New, But Evolving
Campaigns that impersonate the USPS and other trusted brands are hardly new, as attackers often leverage the urgency that comes with a person waiting for a package or piece of mail as a convincing lure for phishing attacks. One USPS-anchored campaign in October 2023 was linked to Iranian attackers and used close to 200 different domains as infrastructure for the attacks, as an example.
However, the scale and sophisticated evasion tactic used in the latest USPS impersonation effort makes it a notable threat, and part of a disturbing trend to take advantage of “limited mobile device security worldwide,” threatening corporate users, one security experts says.
“While organizations have robust email security, the critical tension between finance, HR, and technology teams around mobile devices has created a significant and dangerous gap in protection, leading to underinvestment in web and mobile messaging security despite these becoming primary attack vectors,” says Stephen Kowski, field chief technology officer (CTO) at SlashNext Email Security+.
Indeed, organizations need to get a handle on the issue of unsecured mobile devices in the workplace, another expert says. To do this, notes Darren Guccione, CEO and co-founder at Keeper Security, they should adopt a layered security approach that combines employee education with the use of multifactor authentication (MFA) to prevent credential compromise even if a corporate user falls for an attack.
As far as enterprise security goes, he explains, employing zero-trust security frameworks that use privileged access management (PAM) solutions can serve to further mitigate risks “by restricting access to sensitive systems, ensuring only authorized users can interact with critical data.”
