In a recent report, security researchers at Zimperium have uncovered a new phishing campaign. This series of attacks leverages malicious PDF files delivered via SMS that has the potential of putting millions of mobile users at risk.
Malicious SMS
This campaign sees SMS messages delivered to users where the sender impersonates the United States Postal Service (USPS). The SMS also contains a malicious PDF file that is generally harmless. However, in this case, the file contains malicious links. When users click on these links, phishing websites redirect them to steal personal details such as names, addresses, and credit card information.
What makes this campaign particularly dangerous is how the attackers have cleverly hidden the malicious links. Instead of embedding links using the standard /URI tag, which is common practice in PDFs, the attackers hide the URLs with graphical overlays. The researchers claim that this method made it difficult to detect. It even bypassed detection from traditional endpoint security solutions.
One thing to note is that mobile devices are particularly vulnerable to this type of attack. This is due to the smaller screen size, which limits the ability to inspect file contents before opening them. Users can easily review metadata and file properties on desktop systems, in contrast to this.
According to Zimperium’s investigation, they found over 20 malicious PDF files and 630 phishing pages. This seems to target organizations and individuals in more than 50 countries.
Protecting yourself from phishing
Phishing is a form of cyberattack where the attacker impersonates a person or an organization. For example, there are phishing attacks where the attacker pretends to be your bank. This can come in the form of an SMS or an email where it asks you to click a link to go to its website.
The website would then be designed to look near-identical to the one your bank uses. Users who don’t pay close enough attention might then enter their personal details like login name and password. This information is then sent to the attacker, who then logs into your actual bank account, where they can siphon all of your money in a matter of minutes.
That being said, there are ways to protect yourself from falling victim to phishing attacks. This includes verifying the sender’s information. You can always check the email address and website URL to make sure it is correct. Some attackers attempt to disguise this cleverly by adding extra letters or numbers so that, at a glance, you think it’s the real deal.
You can also go to your bank’s website directly instead of clicking on the link. This is because sometimes links can execute code to steal information or install malware. Lastly, and probably the best idea of all, is to simply avoid opening SMS or emails from unknown senders.
