A new report out today from mobile security platform provider Zimperium Inc. is warning of a sophisticated new phishing campaign targeting mobile devices with malicious PDF files.

The PDFs used in the campaign are disguised as legitimate communications from the U.S. Postal Service and aim to exploit user trust in the PDF format to steal credentials and sensitive data.

The campaign detailed in the report uses advanced evasion techniques, including embedding hidden, clickable links in the PDFs without using standard tags. By doing so, the malicious files successfully bypass detection from many endpoint security solutions, making them particularly effective against mobile users.

The malicious PDFs redirect users to phishing websites, where they are prompted to provide details such as names, addresses and payment information. The details are then encrypted and transmitted to servers controlled by those behind the campaign, enabling them to exploit the stolen data.

The report emphasizes how the campaign exploits the ubiquity of PDFs, which are used for business communications due to their perceived safety. The idea is that by leveraging a false sense of security, the attackers have found a highly effective way to target mobile devices, where users often have limited visibility into file contents.

Darren Guccione, co-founder and chief executive at cybersecurity company Keeper Security Inc., told SiliconANGLE via email that “the rise of sophisticated and large-scale phishing campaigns like this one, exploiting the trusted USPS brand, reflects the evolving threat landscape targeting mobile users.”

“Cybercriminals are leveraging malicious PDFs and phishing pages that appear official to exploit users’ trust and the inherent limitations of mobile devices, such as reduced screen visibility,” Guccione said. “This tactic not only enables credential theft but also evades many traditional defenses, making it a potent threat.”

Guccione said organizations should adopt a layered security approach to combat such attacks. “Employee education is vital for raising awareness about phishing attempts, teaching users to verify sender details, avoid clicking on suspicious links and independently confirm shipping information by navigating to official channels like the USPS website or app directly,” he said.

Image: SiliconANGLE/Ideogram