Related Articles
Research from Zimperium zLabs reveals a new mobile phishing (mishing) campaign, targeting mobile devices and therefore bypassing conventional desktop security measures. This campaign impersonates the United States Postal Service (USPS), and threat actors utilize an unprecedented obfuscation tactic to deliver malicious PDF files that steal credentials and compromise sensitive data. By presenting the malicious PDFs as official-looking communication, threat actors can deceive targets with social engineering techniques. The research identifies 630 phishing pages and more than 20 malicious PDF files with organizations in more than 50 countries targeted.
Stephen Kowski, Field CTO at SlashNext Email Security+, comments, “We’re witnessing phishing evolve in real time beyond email into a sophisticated multi-channel threat, with attackers leveraging trusted brands like USPS, Royal Mail, La Poste, Deutsche Post, and Australian Post to exploit limited mobile device security worldwide. The discovery of over 20 malicious PDFs and 630 phishing pages targeting organizations across 50+ countries shows how threat actors capitalize on users’ trust in official-looking communications on mobile devices. While organizations have robust email security, the critical tension between finance, HR, and technology teams around mobile devices has created a significant and dangerous gap in protection, leading to underinvestment in web and mobile messaging security despite these becoming primary attack vectors. Organizations must expand their security strategy beyond email to include comprehensive protection for mobile messaging and web-based messaging threats.”
How to defend against mobile threats
Darren Guccione, CEO and Co-Founder at Keeper Security, explains, “The rise of sophisticated and large-scale phishing campaigns like this one, exploiting the trusted USPS brand, reflects the evolving threat landscape targeting mobile users. Cybercriminals are leveraging malicious PDFs and phishing pages that appear official to exploit users’ trust and the inherent limitations of mobile devices, such as reduced screen visibility. This tactic not only enables credential theft but also evades many traditional defenses, making it a potent threat.
“Organizations must adopt a layered security approach to combat such attacks. Employee education is vital for raising awareness about phishing attempts, teaching users to verify sender details, avoid clicking on suspicious links and independently confirm shipping information by navigating to official channels like the USPS website or app directly.
“Implementing Multi-Factor Authentication (MFA) adds a critical barrier to prevent unauthorized access even if credentials are compromised. Zero trust security frameworks with Privileged Access Management (PAM) solutions further mitigate risks by restricting access to sensitive systems, ensuring only authorized users can interact with critical data.
“For mobile devices, deploying real-time mobile threat detection and ensuring devices and applications are updated with the latest security patches can proactively defend against threats.”
Source link
