Hackers Impersonate USPS to Deliver Malicious PDFs in Mobile Device Attacks

On January 27, 2025, Zimperium’s zLabs team disclosed the discovery of a sophisticated phishing campaign exclusively targeting mobile users.

This operation impersonates the United States Postal Service (USPS) and employs malicious PDF files to steal sensitive user credentials.

Leveraging advanced obfuscation techniques, the campaign bypasses conventional endpoint security measures, highlighting the growing risks associated with PDFs in enterprise environments.

Widely used for contracts, invoices, and professional communication, PDFs offer an illusion of safety due to their standardized structure and compatibility. Cybercriminals are now exploiting this perception to distribute harmful payloads.

Zimperium’s investigation uncovered over 20 malicious PDFs and 630 phishing pages spread across more than 50 countries a significant indication of large-scale targeting.

Innovative Evasion Techniques in Malicious PDFs

The investigation revealed a novel technique employed by the attackers to conceal embedded clickable links.

Unlike traditional PDFs, which use a recognizably standard /URI tag for links, these malicious files bypass detection by avoiding this marker.

Instead, the attack relies on hidden clickable regions within the PDF, accompanied by visually concealed text and images.

By using intricate compression and masking features, the attackers effectively hid potentially harmful URLs, rendering them undetectable by many security tools.

At the structural level, the PDFs contained deceptive Catalog and Page objects.

USPS
Malicious landing page

These defined hierarchies linked to resources such as external objects (XObjects), fonts with custom character mappings, and compressed streams.

When decompressed, these streams revealed embedded links disguised as innocuous text, including clickable “buttons” redirecting users to phishing websites.

Upon interaction, users were directed to fraudulent USPS-themed webpages urging them to submit personal and financial information.

Attack Workflow and Data Theft

The attack’s workflow begins with seemingly harmless PDF files sent via SMS, enticing recipients to click links inside the document.

USPS
Fake SMS Received

On clicking, victims are redirected to a phishing page that mimics USPS forms.

These forms systematically request personal details such as name, email, and phone number, followed by payment card information.

The stolen data is encrypted using the Rabbit stream cipher and transmitted to Command and Control (C&C) servers.

Furthermore, the campaign leverages external APIs to validate stolen card credentials, ensuring the submission of legitimate details.

The campaign’s multilingual support underscores its global reach, allowing threat actors to adapt the phishing interface for users across various countries, thereby increasing its success rate.

Zimperium’s Mobile Threat Defense (MTD) solution emerges as a critical safeguard against such advanced phishing tactics.

Armed with an on-device AI-driven detection engine, Zimperium offers enterprises real-time protection, even in offline scenarios.

By scanning for malicious structures and hidden phishing links directly on mobile devices, the solution eliminates the risk of data exposure through cloud-based analysis.

This proactive defense mechanism safeguards sensitive information while ensuring compliance and uninterrupted workflows in mobile-first business environments.

As the sophistication of cyberattacks escalates, tools like Zimperium MTD provide essential protection for enterprises battling the relentless evolution of mobile threats.

Also Read:

Recent Articles

Related Stories

LEAVE A REPLY

Please enter your comment!
Please enter your name here