A sophisticated phishing campaign targeting mobile users has been discovered, using malicious PDFs disguised as official U.S. Postal Service (USPS) communications. The attack starts with SMS messages alerting recipients about undelivered USPS packages, which includes an attached PDF. The PDF files, while appearing legitimate, contain hidden clickable elements that lead victims to phishing websites. These sites impersonate USPS pages and prompt users to enter personal information such as names, addresses, and credit card details to resolve the supposed delivery issues.
The malicious PDFs employ a novel obfuscation technique to bypass standard security measures. The attackers exploit the structure of Portable Document Format (PDF) files, which includes objects like strings, arrays, and streams. Typically, hyperlinks in PDFs are represented with a “Go-To-URI” action dictionary object, but the attackers use a more advanced method to hide the links.
By embedding these links in compressed stream objects and splitting URLs across multiple objects, the attackers make detection more difficult.
This strategy is particularly effective when opened on mobile devices, where visibility into file contents is limited. The attackers also utilize techniques such as white text or graphical overlays within the PDF content stream to further conceal the malicious URLs. These methods make it extremely hard for both the user and endpoint security tools to spot the hidden links, allowing the attackers to avoid detection by traditional security solutions.
Once the victims submit their sensitive data through the phishing websites, the attackers encrypt the information and transmit it to their servers. This highly effective campaign highlights the growing sophistication of cyber threats targeting mobile users, exploiting weaknesses in both user awareness and security defenses. The discovery of these techniques by Zimperium’s zLabs team underscores the importance of continually evolving security measures to defend against such advanced phishing tactics.