Sunday, February 9, 2025
HomeCyber Security NewsHackers Mimic USPS To Deliver Malicious PDF In Attack Targeted Mobile Devices

Hackers Mimic USPS To Deliver Malicious PDF In Attack Targeted Mobile Devices

Published on

SIEM as a Service

Follow Us on Google News

In a detailed analysis published on January 27, 2025, Zimperium’s zLabs team uncovered a sophisticated phishing campaign targeting mobile devices through malicious PDF files.

Disguised as communications from the United States Postal Service (USPS), this campaign employs advanced social engineering and obfuscation tactics to steal user credentials and sensitive data.

The campaign reportedly spans more than 50 countries, underscoring the global scale of the threat.

PDF, a widely used enterprise file format, has become an unexpected avenue for cyberattacks due to its perceived safety.

Structure of the PDF
Structure of the PDF

Often considered immutable and trustworthy, PDF files are now exploited by attackers embedding malicious links and scripts.

Mobile devices, with their limited capacity to offer document previews and analyze embedded links, are particularly vulnerable.

Without robust on-device protections, enterprises risk exposing sensitive data to such threats.

Are you from SOC/DFIR Teams? - Analyse Malware Files & Links with ANY.RUN Sandox -> Try for Free

Innovative Techniques in Obfuscation

Zimperium’s research uncovered over 20 malicious PDF files and 630 phishing pages linked to the campaign.

A novel deployment method was identified in the PDF files, where clickable elements were obscured by not using the conventional /URI tag for web links.

This deliberate choice allowed attackers to bypass detection mechanisms in many endpoint security solutions, while the same URLs embedded with standard tags were flagged as malicious.

Form to steal card info from the victim
Form to steal card info from the victim

The PDFs operated within a hierarchical structure of objects catalogs, pages, fonts, and external objects (XObjects) to create hidden links.

By employing deceptive attributes such as white text and layering clickable buttons over hidden elements, the attackers effectively obfuscated their actions within the files.

On select platforms like Chrome and macOS Preview, these tactics rendered the hidden links clickable, leading users to phishing websites.

The campaign further included a USPS-themed landing page designed to extract personal and payment information.

The data, encrypted using the Rabbit stream cipher, was transmitted to an attacker-controlled server while stored locally on the victim’s browser.

Multilingual support observed in the phishing pages suggests the use of a phishing kit capable of targeting users worldwide.

Zimperium highlights the efficacy of its Mobile Threat Defense (MTD) solutions in addressing such evolving threats.

Utilizing on-device AI-based detection, Zimperium’s solutions identify malicious PDFs and phishing links in real-time, even in offline environments.

This approach ensures privacy by conducting all analysis locally on the device, eliminating the need to upload sensitive content to the cloud.

By combining zero-day threat detection with robust AI algorithms, Zimperium empowers enterprises to safeguard sensitive data and workflows from PDF-based phishing campaigns and advanced exploit techniques.

The findings reinforce the importance of adopting sophisticated on-device defenses in combating the rapidly evolving landscape of mobile-based cyber threats.

Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

UK Pressures Apple to Create Global Backdoor To Spy on Encrypted iCloud Access

United Kingdom has reportedly ordered Apple to create a backdoor allowing access to all...

Autonomous LLMs Reshaping Pen Testing: Real-World AD Breaches and the Future of Cybersecurity

Large Language Models (LLMs) are transforming penetration testing (pen testing), leveraging their advanced reasoning...

Securing GAI-Driven Semantic Communications: A Novel Defense Against Backdoor Attacks

Semantic communication systems, powered by Generative AI (GAI), are transforming the way information is...

Cybercriminals Target IIS Servers to Spread BadIIS Malware

A recent wave of cyberattacks has revealed the exploitation of Microsoft Internet Information Services...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

UK Pressures Apple to Create Global Backdoor To Spy on Encrypted iCloud Access

United Kingdom has reportedly ordered Apple to create a backdoor allowing access to all...

Autonomous LLMs Reshaping Pen Testing: Real-World AD Breaches and the Future of Cybersecurity

Large Language Models (LLMs) are transforming penetration testing (pen testing), leveraging their advanced reasoning...

Securing GAI-Driven Semantic Communications: A Novel Defense Against Backdoor Attacks

Semantic communication systems, powered by Generative AI (GAI), are transforming the way information is...