Beware: Mobile Phishing Mimicking the USPS Is On the Rise



Phishing for EDU Email UsersResearchers at Zimperium warn that a large phishing campaign is impersonating the US Postal Service (USPS) to target mobile devices with malicious PDF files.

The goal of the campaign is to direct users to a spoofed USPS website designed to harvest personal information.

“The investigation into this campaign uncovered over 20 malicious PDF files and 630 phishing pages, indicating a large-scale operation,” the researchers write.

“Further analysis revealed a malicious infrastructure, starting with landing pages designed to steal data, that could potentially impact organizations across 50+ countries.

This campaign employs a complex and previously unseen technique to hide clickable elements, making it difficult for most endpoint security solutions to properly analyze the hidden links.”

Notably, the phishing campaign used a new obfuscation technique that allowed the malicious links to evade detection by security products.

“The PDFs used in this campaign embed clickable links without utilizing the standard /URI tag, making it more challenging to extract URLs during analysis,” Zimperium explains. “Our researchers verified that this method enabled known malicious URLs within PDF files to bypass detection by several endpoint security solutions. In contrast, the same URLs were detected when the standard /URI tag was used. This highlights the effectiveness of this technique in obscuring malicious URLs.”

The researchers note that PDFs are commonly used in business settings, so employees need to be wary of attackers using these files to deliver phishing links.

“The widespread use of PDFs is introducing significant security risks to the enterprise, particularly when targeted to mobile devices,” the researchers write. “PDFs have become a common vector for phishing attacks, malware, and exploits due to their ability to embed malicious links, scripts, or payloads. On mobile platforms, where users often have limited visibility into file contents before opening, these threats can easily bypass traditional security measures.”

KnowBe4 empowers your workforce to make smarter security decisions every day. Over 70,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.

Zimperium has the story.


Free Phishing Security Test

Would your users fall for convincing phishing attacks? Take the first step now and find out before bad actors do. Plus, see how you stack up against your peers with phishing Industry Benchmarks. The Phish-prone percentage is usually higher than you expect and is great ammo to get budget.

PST ResultsHere's how it works:

  • Immediately start your test for up to 100 users (no need to talk to anyone)
  • Select from 20+ languages and customize the phishing test template based on your environment
  • Choose the landing page your users see after they click
  • Show users which red flags they missed, or a 404 page
  • Get a PDF emailed to you in 24 hours with your Phish-prone % and charts to share with management
  • See how your organization compares to others in your industry

Go Phishing Now!

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

https://www.knowbe4.com/phishing-security-test-offer



Subscribe to Our Blog


Comprehensive Anti-Phishing Guide




Get the latest about social engineering

Subscribe to CyberheistNews