Corporate accounts may be under the watchful eye of different security solutions, but mobile devices aren’t enjoying the same level of protection, experts have warned, as criminals are devising advanced, complex mobile phishing attacks to steal valuable login credentials. Cybersecurity researchers at Zimperium recently discovered a new campaign using a unique obfuscation technique - they would first build a PDF file, mimicking the United States Postal Service (USPS). The file’s structure is quite complex, the researchers said, as it has a header, body, cross-reference table, and a trailer.
The link, which leads to a malicious landing page, is embedded without using the standard /URI tag, which makes detection and forensics somewhat more difficult. The uniqueness of the attack is seen in the URL, which comes with an embedded XObject. This allows the crooks to turn it into a clickable button.
SMS messages and PDF files The attack starts with an SMS message, instead of an email. This way, the threat actors are able to bypass any email security protections set up, but also presents two unique challenges: one - they need to know their victims’ phone numbers, and two - sending SMS messages in bulk is not as cheap, easy, or private, as sending emails. In the SMS message, the attackers impersonate the USPS and, in the usual scamming fashion, warn the victims about a parcel.
They share the link to the PDF, which then leads to a malicious landing page, where victims end up sharin.
