Zimperium has unveiled new research identifying a surge in mobile-targeted phishing attacks that utilise PDF documents sent via SMS and MMS.
These findings highlight how cyber attackers exploit the perceived security of PDFs and weaknesses in mobile security measures to collect credentials and sensitive information on a large scale.
Zimperium's zLabs research insights
The zLabs research team at Zimperium reports a rise in the use of PDFs as a tool for mobile phishing, or "mishing," due to their legitimacy in business contexts and ability to avoid traditional email and network defences. Combined with the immediacy of text messaging, these strategies are proving highly successful.
The research covers two notable active campaigns. One targeted the users of EZDriveMA, Massachusetts' electronic toll system, using SMS messages with harmful PDF attachments. Hackers swiftly generated over 2,100 phishing domains via automation, thus escaping blocklists. Zimperium's detection accuracy stood at 98.46%, identifying these domains hours or days ahead of their public listing in phishing databases.
Malicious infrastructure and phishing tactics
The perpetrators used direct IP addresses, concealed URLs, and temporary VoIP numbers to avoid detection
Another campaign involved impersonating PayPal with a fake cryptocurrency invoice embedded in a PDF and linked to a voice-based social engineering ploy. The perpetrators used direct IP addresses, concealed URLs, and temporary VoIP numbers to avoid detection.
Zimperium managed to identify and neutralise this malicious infrastructure over 27 hours before its public disclosure, indicating a vulnerable period for organisations dependent on reactive security measures.
Challenges of mobile channels and familiar formats
Pablo Morales, a security researcher at Zimperium, stated, “These campaigns show how quickly attackers are shifting to mobile channels and trusted file formats to stay ahead of traditional defences."
"PDFs sent over SMS create a dangerous blind spot, especially when security tools don’t inspect files at the device level. Detection speed is now the difference between stopping an attack and responding after credentials are stolen.”
Emerging trends in mobile-first attack strategies
Zimperium’s findings suggest a growing trend where cybercriminals focus on a mobile-first attack strategy
Zimperium’s findings suggest a growing trend where cybercriminals focus on a mobile-first attack strategy, utilising zero-day infrastructure and social engineering tactics to exploit the areas with weaker defences.
PDF-based phishing often evades email gateways and reputation-based filters, leaving organisations vulnerable during the initial stages of an attack.
Defending against mobile phishing threats
Zimperium employs device-level analysis of malicious PDFs and embedded links, irrespective of the delivery method—whether SMS, email, QR code, or web. This on-device strategy facilitates the early detection of both recognised and zero-day threats without uploading sensitive files to the cloud.
The research report titled "PDF Phishing: The Hidden Mobile Threat" offers a comprehensive analysis of the campaigns and provides guidance for organisations aiming to mitigate mobile security vulnerabilities.
Find out about secure physical access control systems through layered cybersecurity practices.
