- Zimperium Research finds that Smishing’s damping campaign take advantage of the carefully prepared PDF files
- The campaign is to go through the USPS
- The objective of the campaign is to steal login credentials
Corporate email accounts may be under the attention of different safety solutions, but mobile devices do not enjoy the same level of protection, they have warned, since criminals are designing attacks of advanced and complex mobile phishing attacks to steal valuable credentials login.
Zimperium cybersecurity researchers recently discovered a new campaign using a unique obfuscation technique: first they would build a PDF file, imitating the United States postal service (USPS). The structure of the file is quite complex, the researchers said, since it has a header, a body, a cross reference table and a trailer. The link, which leads to a malicious destination page, is integrated without using the standard /URI label, which makes it difficult for detection and forensic.
The uniqueness of the attack is seen in the URL, which comes with an embedded xobject. This allows criminals to make it a click button.
PDF SMS and files
The attack begins with an SMS message, instead of an email. In this way, threat actors can avoid any configured email security protection, but also presents two unique challenges: one need to know the telephone numbers of their victims and two, sending SMS to bulk messages is not so cheap, Easy, or private, as sending emails.
In the SMS message, the attackers get through the USPS and, in the usual way of scam, warn the victims about a package. They share the link to the PDF, which then leads to a malicious destination page, where the victims end up sharing their login credentials. This information is ultimately encrypted and transmitted to the C2 server owned by the attacker.
This campaign highlights the fact that phishing attacks can occur anywhere, not only in email, and that companies need to expand their training sessions to cover virtually all communications platforms in use today.
