[IMPORTANT: Make this 4 times longer with much more detail]
(Image credit: Pixabay) Zimperium research finds SMishing campaign leveraging carefully crafted PDF files The campaign is impersonating the USPS The goal of the campaign is to steal login credentials Corporate email accounts may be under the watchful eye of different security solutions, but mobile devices aren’t enjoying the same level of protection, experts have warned, as criminals are devising advanced, complex mobile phishing attacks to steal valuable login credentials. Cybersecurity researchers at Zimperium recently discovered a new campaign using a unique obfuscation technique – they would first build a PDF file, mimicking the United States Postal Service (USPS). The file’s structure is quite complex, the researchers said, as it has a header, body, cross-reference table, and a trailer. The link, which leads to a malicious landing page, is embedded without using the standard /URI tag, which makes detection and forensics somewhat more difficult. The uniqueness of the attack is seen in the URL, which comes with an embedded XObject. This allows the crooks to turn it into a clickable button. SMS messages and PDF files The attack starts with an SMS message, instead of an email. This way, the threat actors are able to bypass any email security protections set up, but also presents two unique challenges: one – they need to know their victims’ phone numbers, and two – sending SMS messages in bulk is not as cheap, easy, or private, as sending emails. LATEST VIDEOS FROM techradar Tech Radar Pro In the SMS message, the attackers impersonate the USPS and, in the usual scamming fashion, warn the victims about a parcel. They share the link to the PDF, which then leads to a malicious landing page, where victims end up sharing their login credentials. This information is ultimately encrypted and relayed to the attacker-owned C2 server. This campaign highlights the fact phishing attacks can happen anywhere, not just in email, and that businesses need to expand their training sessions to cover virtually all communications platforms in use today. You might also like Text spammers are getting creative and trying to play on your emotional needs – don’t fall for it Here’s a list of the best firewalls around today These are the best endpoint security tools right now Are you a pro? Subscribe to our newsletter Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed! Contact me with news and offers from other Future brands Receive email from us on behalf of our trusted partners or sponsors Sead Fadilpašić Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications. You must confirm your public display name before commenting Please logout and then login again, you will then be prompted to enter your display name. Logout More about security Hidden text “salting” is letting hackers craft devious email attacks to evade detection This worrying Git flaw could lead to users leaking credentials Latest Nvidia RTX 5070 Ti GPU could have a February 20 launch to beat AMD’s RX 9070 to the shelves – but what about the RTX 5070? See more latest ► Most Popular LATEST ARTICLES 1 Nvidia RTX 5070 Ti GPU could have a February 20 launch to beat AMD’s RX 9070 to the shelves – but what about the RTX 5070? 2 Dreame R20 cordless vacuum review 3 Honor pokes fun at Samsung by highlighting five key features missing from the Galaxy S25 Ultra 4 AmberDeck is a retro-style prototype case for iPhone that is designed for writing with AI 5 Gamers are already lining up to buy an Nvidia RTX 5090 – I just hope there’s enough stock of the GPU
Leave feedback about this