An expansive phishing campaign aimed at mobile devices takes advantage of users’ trust of PDF files and the U.S. Postal Service (USPS) to steal credentials and sensitive information, according to researchers with mobile security firm Zimperium.

The bad actors make the malicious PDFs look like communications from the USPS that are sent via SMS text messages and use what the researchers called in a report Monday a “never-before-seen means of obfuscation” to help them bypass traditional security controls. They embed the malicious links in the PDF, essentially hiding them from endpoint security solutions.

“This strategy highlights the evolving tactics of cybercriminals, who exploit both trusted file formats and advanced evasion methods to deceive users and compromise their data,” Zimperium malware analyst Fernando Ortega wrote.

The phishing attacks are part of a larger and growing trend of what Zimperium calls “mishing,” an umbrella word for campaigns that use email, text messages, voice calls, or QR codes that exploit such weaknesses as unsafe user behavior and minimal security on many mobile devices to infiltrate corporate networks and steal information.

A Large-Scale Operation

In their investigation of the latest campaign, Zimperium researchers found more than 20 malicious PDF files and 630 phishing pages, as well as landing pages designed to steal data from victims in more than 50 countries, Ortega wrote.

PDFs are becoming convenient tools for bad actors to launch such phishing attacks, Ortega wrote. They’re easy to use for important documents like agreements, business communications, and contracts, and can include hyperlinks, images, and digital signatures.

“Due to their ubiquitous use and appearance to be ‘tamper-proof’, users have developed a natural, but dangerous, assumption that all PDF’s are safe,” he wrote. “And now, cybercriminals are actively exploiting that false confidence.”

Using the Mail

The latest campaign also follows on hackers’ ongoing scams that include impersonating package delivery companies – not only USPS, but UPS, FedEx, DHL, and similar organizations – to convince victims to send money or divulge information.

The attack starts with a text message seemingly from USPS telling the target that they have a package waiting but it can’t be delivered because there is missing information in the address. Included in the message is an attached PDF file.

Users who click on the PDF are sent to phishing pages that also pose as USPS sites. They are prompted to input such information as their name, address, phone number, and email address before clicking on a button that reads “update immediately.” They then are told they need to pay service fees for redelivery and are asked to put in their credit card details.

An Evolving Threat

Stephen Kowski, field CTO at SlashNext Email Security+, said the campaign uncovered by Zimperium illustrates the ongoing innovation in mobile device threats.

“We’re witnessing phishing evolve in real time beyond email into a sophisticated multi-channel threat, with attackers leveraging trusted brands like USPS, Royal Mail, La Poste, Deutsche Post, and Australian Post to exploit limited mobile device security worldwide,” Kowski said. “The discovery of over 20 malicious PDFs and 630 phishing pages targeting organizations across 50+ countries shows how threat actors capitalize on users’ trust in official-looking communications on mobile devices.”

He also noted that internal disagreements are hampering corporations’ ability to protect against such attacks.

“While organizations have robust email security, the critical tension between finance, HR, and technology teams around mobile devices has created a significant and dangerous gap in protection, leading to underinvestment in web and mobile messaging security despite these becoming primary attack vectors,” Kowski said. “Organizations must expand their security strategy beyond email to include comprehensive protection for mobile messaging and web-based messaging threats.”

Zimperium’s Ortega agreed, noting that the limited visibility mobile device users have into file contents makes it easier for threats to get past traditional security measures.

“The portability and accessibility that make PDFs so valuable also means that sensitive data can be inadvertently exposed if proper protections are not in place,” he wrote. “Without robust mobile threat defense mechanisms, particularly on-device scanning, enterprises face the risk of data breaches, credential theft, and compromised workflows via seemingly harmless PDF files.”