Attackers impersonating the U.S. Postal Service (USPS) have launched a widespread mobile phishing campaign leveraging trust in PDF files to steal sensitive data and credentials. Researchers at Zimperium zLabs uncovered this operation, which uses SMS phishing (smishing) messages to lure victims.
The messages claim delivery issues due to "incomplete address information" and direct recipients to open a PDF containing a phishing link. This link leads to a fake landing page that collects personal details, such as names, addresses, emails, and phone numbers. Victims are then redirected to another page that requests payment card information under the pretense of service fees for completing the delivery.
PDFs as a Trusted Attack Vector
The campaign exploits the perceived safety of PDF files, making users more likely to interact with them, said Zimperium researcher Fernando Ortega. ZLabs identified over 630 phishing pages, 20 malicious PDFs, and an extensive network of landing pages tied to the campaign, which spans more than 50 countries.
What makes this attack particularly challenging to detect is a novel evasion technique used within the PDFs. Instead of employing the standard /URI tag to embed links, the attackers manipulate the back-end structure of the PDFs, bypassing detection mechanisms in many endpoint security systems.
"By avoiding the /URI tag, malicious URLs in these PDFs evade detection that would otherwise flag them as suspicious," Ortega noted. Zimperium researchers verified that URLs hidden in this manner were missed by several endpoint security tools, while the same URLs were flagged when embedded using traditional methods.
Escalating Phishing Sophistication
Impersonating delivery services like USPS isn’t new. Attackers have long used the urgency of package delivery as a phishing lure. In October 2023, for example, an Iranian-linked USPS phishing campaign employed nearly 200 domains for its infrastructure.
However, the large-scale and innovative evasion techniques in this campaign highlight evolving threats, particularly targeting mobile devices, which often lack robust security protections compared to corporate email systems.
"While organizations typically invest heavily in email security, the growing use of mobile devices introduces significant vulnerabilities," says Stephen Kowski, field CTO at SlashNext Email Security+. He warns that insufficient investment in mobile security leaves organizations exposed, with attackers increasingly exploiting mobile platforms as primary attack vectors.
Securing Mobile Devices and Networks
To counter such threats, organizations need a comprehensive approach to mobile security. Darren Guccione, CEO of Keeper Security, advocates for layered defenses, including employee training and multifactor authentication (MFA). These measures can help prevent credential compromise, even if users fall for phishing attempts.
Additionally, implementing zero-trust security frameworks and privileged access management (PAM) solutions can mitigate risks by restricting access to sensitive systems and ensuring only authorized personnel interact with critical data.
As mobile phishing campaigns like this USPS impersonation effort grow more sophisticated, organizations must adapt their security strategies to address vulnerabilities in mobile devices and ensure comprehensive protection against emerging threats.
