Mobile devices have been subjected to data exfiltration attacks involving the use of fraudulent United States Postal Service (USPS) PDF files with phishing links hidden from user and mobile security systems, reports SC Media.
Zimperium researchers report that intrusions commence with the SMS delivery of over 20 types of malicious PDFs purporting to be instructions for dealing with unsuccessful USPS package deliveries that feature links obfuscated as a compressed stream item and display a "Click Update" button XObject image instable of a clickable text URL.
Clicking the button would redirect to any of the 630 different USPS phishing sites with support for 50 languages, which lure targets into providing their telephone numbers, mailing and email addresses, and credit card details, which were later exfiltrated to the attacker's command-and-control server.
This news highlighted significant gaps in mobile device security due to severely lacking investments, said Stephen Kowski, Field CTO at SlashNext Email Security.
"Organizations must expand their security strategy beyond email to include comprehensive protection for mobile messaging and web-based messaging threats," said Kowski.
