1 min Security

Phishing campaign targets mobile devices via PDFs

Phishing campaign targets mobile devices via PDFs

A new phishing campaign posing as the U.S. Postal Service USPS is targeting mobile devices. The attack uses social engineering tactics and an unprecedented hiding method to deliver malicious PDF files.

PDF documents are indispensable for business. However, they pose significant security risks, especially for mobile devices. Cybercriminals exploit users’ trust in PDF files to launch phishing attacks and spread malware.

Methodology

Researchers at Zimperium have discovered a new technique for hiding clickable elements in PDF files. This method makes it difficult for most endpoint security solutions to analyze the hidden links correctly.

The rogue PDFs redirect users to phishing websites. There, the user is asked to share additional information, including names, addresses, and payment information. The details are encrypted and sent to the cybercriminals’ servers, where they can exploit the data.

The investigation points to over 20 malicious PDF files and 630 phishing pages. Because of those numbers, this is a large-scale operation. The rogue infrastructure, starting with landing pages designed to steal data, could potentially affect organizations in more than 50 countries.

Tip: QR code image-based phishing attacks on the rise