Phishing has been a tried-and-true cyberattack tactic for decades, as it allows threat actors to adapt and expand their methods to take advantage of different technologies and evade many cybersecurity measures. Recent years have seen a global rise in phishing campaigns—a 58% increase just from 2022 to 2023, according to one report—demonstrating that cybercriminals continue to launch successful attacks even as cybersecurity technology constantly evolves to prevent them.
A recent phishing campaign against mobile devices has been tracked in the wild, leveraging malicious PDF documents and impersonating the United States Postal Service (USPS). Using social engineering tactics and benefitting from the unique vulnerability of mobile devices, these attacks can have significant consequences for organizations and individual consumers alike.
Anatomy of the Campaign
The bad actors behind this campaign have used a combination of techniques to craft sophisticated attacks. By leveraging the USPS name, they can exploit consumer trust in a reliable brand. Impersonating legitimate sources is one of the pillars of effective social engineering, convincing targets to let their guard down. Attackers used this trust to gather personally identifiable information and financial details from their victims.
These threat actors have used malicious PDFs as the primary attack vector in this campaign, using sophisticated manipulation tactics to evade security measures. Distributing these documents via mobile devices also makes it easier to deceive targets, increasing the attacker’s chance of success. This campaign has included over 20 malicious PDFs and 630 phishing pages, with a “malicious infrastructure” that could affect organizations in more than 50 countries.
Mobile-Focused Phishing: A Growing Trend
Mobile devices are prime targets for phishing attacks like this campaign for a number of reasons. They don’t have the same level of endpoint protection available as other devices, so mobile phishing (mishing) attacks bypass traditional defenses that desktop devices often use. This allows attackers to exploit mobile security gaps and vulnerabilities without being detected.
The difficulty of detection means that targets of these attacks have to rely more heavily on visual cues like logos to give away the deception. The smaller screens on mobile devices make for limited visibility, making this method even less reliable for protecting against phishing attacks.
The challenges with mobile cybersecurity are not restricted to individuals; organizations also have a difficult time protecting against attacks targeting mobile devices. “While organizations have robust email security, the critical tension between Finance, HR, and Technology teams around mobile devices has created a significant and dangerous gap in protection, leading to underinvestment in web and mobile messaging security despite these becoming primary attack vectors,” according to Stephen Kowski, Field CTO at Pleasanton, Calif.-based SlashNext.
Advanced Evasion Techniques
This PDF mishing campaign uses sophisticated methods of obfuscation to avoid being detected and blocked, demonstrating that the attackers are savvy enough to take advanced measures. Some of these tactics include:
- Embedding clickable links in the PDFs without including the /URI tag that enables URL extraction during file analysis.
- Creating hidden payloads within the PDFs to obscure the true destination of malicious links.
- Using dynamic phishing page generation to create new pages reduces the chances of security tools reading known threat signatures and blocking the URLs.
Security solutions often struggle to keep up with these attacks as cybercriminals continuously develop more advanced evasive techniques. Their reliance on social engineering and manipulation of PDF file structure makes it difficult to protect against this type of attack.
Implications for Organizations and Users
Phishing campaigns are versatile in their methods, goals, and impacts, and campaigns like this one can have far-reaching consequences for both organizations and individuals. Bad actors often use phishing attacks to initiate fraudulent transactions to steal money from their victims, deliver malware payloads to target devices, and gather sensitive information like PII, bank details, and login credentials. Sensitive data compromise, financial theft, and credential theft can have catastrophic consequences for individual targets.
Enterprise security is also at risk from attacks like this. Many workers today use their personal devices for business purposes, making organizations vulnerable through them. A phishing attack that fools a single employee within a company can grant bad actors the initial access that they need to infiltrate the organization’s systems and carry out further harm.
Strategies to Combat Mobile Phishing
Preventing mishing attacks requires defending against these sophisticated tactics on multiple fronts. Possibly, the most important aspect of combatting phishing attacks is user training. It is crucial to empower and equip all users to understand how to recognize phishing attempts, such as by scrutinizing file attachments, approaching unknown links with caution, and independently verifying that senders are legitimate. Users should also be educated on the potential consequences of phishing attacks and steps they can take to protect against them.
Organizations are also encouraged to implement advanced mobile threat defense solutions to protect against the risks of phishing attacks as an initial attack vector. Robust and layered security is vital to address the multiple angles of a phishing attack and account for potential obfuscation methods. “Implementing Multi-Factor Authentication (MFA) adds a critical barrier to prevent unauthorized access even if credentials are compromised,” says Darren Guccione, CEO and Co-Founder at Keeper Security. “Zero-trust security frameworks with Privileged Access Management (PAM) solutions further mitigate risks by restricting access to sensitive systems, ensuring only authorized users can interact with critical data.”
Conclusion
Mobile-focused attacks are a significant threat to organizations and individuals, and they’re not going anywhere. It is urgent to protect against mishing and other mobile-based attacks to prevent personal losses and enterprise intrusions that could cause massive damage. Phishing campaigns are likely to continue evolving as cybercriminals attempt to develop more sophisticated deception tactics and more advanced obfuscation methods. Mobile cybersecurity is as important as it has ever been, and individuals and organizations alike should take steps to secure their mobile devices.
