The campaign exploits the trust that users place in official-looking communications and the PDF format. Cyber criminals embed malicious elements into PDFs, using social engineering tactics to deceive recipients. On mobile devices, where users may have limited visibility into file contents before opening them, the risks of data breaches, credential theft and workflow disruptions significantly increase.
“Although USPS has no involvement, cyber criminals exploit its trusted name to mislead and target users,” said Nico Chiaraviglio, Zlabs Chief Scientist at Zimperium. “This campaign shows the growing sophistication and continued rise of mishing attacks, emphasising the need for proactive mobile security measures.”
The key findings cited by the Zlabs team are as follows:
- Campaign scale: Over 20 malicious PDF files and 630 phishing pages identified, targeting organisations in 50+ countries.
- Innovative evasion techniques: Newly discovered methods obscure malicious links, evading traditional endpoint security solutions.
- Critical vulnerability: PDFs used as a vector exploit mobile users’ confidence in the format, posing a significant threat to enterprise security.
Tips to verify message authenticity
To protect against SMS and PDF phishing attempts like this, Zimperium recommends following these best practices:
- Scrutinise sender details: Verify the sender’s phone number or email address. Official USPS messages will come from a verified source.
- Avoid clicking on links: Navigate directly to the official USPS website or use their mobile app instead of clicking on embedded links.
- Inspect PDF metadata: On a desktop or through a trusted app, review the document properties for unusual or mismatched information.
- Enable security tools: Use advanced mobile threat defence solutions to detect and block phishing attempts.
- Report suspicious activity: If you receive a questionable message claiming to be from USPS, report it at the official USPS phishing page or directly through their support channels.