Malicious PDF Links Hidden in Text Message Scam Impersonating US Postal Service (scworld.com) 13
SC World reports:
A new phishing scam targeting mobile devices was observed using a "never-before-seen" obfuscation method to hide links to spoofed United States Postal Service (USPS) pages inside PDF files, [mobile security company] Zimperium reported Monday.
The method manipulates elements of the Portable Document Format (PDF) to make clickable URLs appear invisible to both the user and mobile security systems, which would normally extract links from PDFs by searching for the "/URI" tag. "Our researchers verified that this method enabled known malicious URLs within PDF files to bypass detection by several endpoint security solutions. In contrast, the same URLs were detected when the standard /URI tag was used," Zimperium Malware Researcher Fernando Ortega wrote in a blog post.
The attackers send the malicious PDFs via SMS text messages under the guise of providing instructions to retrieve a USPS package that failed to deliver... The phishing websites first displays a form for the victim provide their mailing address, email address and telephone number, and then asks for credit card information to pay a $0.30 "service fee" for redelivery of the supposed package... Zimperium identified more than 20 versions of the malicious PDF files and 630 phishing pages associated with the scam operation. The phishing pages were also found to support 50 languages, suggestion international targeting and possible use of a phishing kit.
"Users' trust in the PDF file format and the limited ability of mobile users to view information about a file prior to opening it increase the risk of such phishing campaigns, Zimperium noted."
Thanks to Slashdot reader spatwei for sharing the news.
The method manipulates elements of the Portable Document Format (PDF) to make clickable URLs appear invisible to both the user and mobile security systems, which would normally extract links from PDFs by searching for the "/URI" tag. "Our researchers verified that this method enabled known malicious URLs within PDF files to bypass detection by several endpoint security solutions. In contrast, the same URLs were detected when the standard /URI tag was used," Zimperium Malware Researcher Fernando Ortega wrote in a blog post.
The attackers send the malicious PDFs via SMS text messages under the guise of providing instructions to retrieve a USPS package that failed to deliver... The phishing websites first displays a form for the victim provide their mailing address, email address and telephone number, and then asks for credit card information to pay a $0.30 "service fee" for redelivery of the supposed package... Zimperium identified more than 20 versions of the malicious PDF files and 630 phishing pages associated with the scam operation. The phishing pages were also found to support 50 languages, suggestion international targeting and possible use of a phishing kit.
"Users' trust in the PDF file format and the limited ability of mobile users to view information about a file prior to opening it increase the risk of such phishing campaigns, Zimperium noted."
Thanks to Slashdot reader spatwei for sharing the news.
Does the USPS even text people? (Score:2)
and how did they get my phone number?
Re: Does the USPS even text people? (Score:4, Informative)
Re: (Score:2)
Also, if you ever go on vacation and make a "hold mail" request, they ask for your phone #.
Lack of information.... (Score:3)
They paid an "information broker" $0.001 to get your phone number, just like everyone else these days.
Or do you still live in the last century?
Re:Lack of information.... (Score:5, Interesting)
I have about 300 email addresses (one for each site I use), and I have gotten variations of this email (and the oh-so-funny "we caught you wanking on camera" on my out-of-country server) on a few dozen of them. So what I have is a list of sites that have either been compromised or that have sold my email address. A few of them even contained my login credentials for the site. I use different credentials for each site, and for this very reason.
Think, folks (Score:3)
The "USPS" sends you a message requesting a $0.30 payment. I don't need to examine the text/multimedia/PDF file to look for hidden stuff. The request alone is enough to make this smell funny.
Re: (Score:2)
As is the text claiming to be from the USPS with the link to "uspnem [dot] online" that I received a couple days ago from a phone number in the Philippines. Yeah, I don't think I'm going to click that one.
PDF is too complex (Score:3)
to be properly secured over the internet and to protect the gullible and these who aren't paying attention. And these who use mobile phones to work with sensitive data too.
Perhaps the best solution is to stop using PDF over the wide Internet, just as we did with Macromedia/Adobe Flash.
Re: PDF is too complex (Score:2)
I don't do that. Are all your coworkers also not doing that?
Re: (Score:1)
Or you can educate your staff not to clink on links from unverified senders.
Re: (Score:1)
Unclear (Score:2)