Zimperium, a global leader in mobile security, has uncovered a highly sophisticated phishing (mishing) campaign targeting mobile devices by impersonating the United States Postal Service (USPS).
Revealed by Zimperium’s zLabs threat research team, the advanced attack specifically targets mobile devices, using a deceptive obfuscation method to deliver malicious PDF files.
These PDFs are designed to steal sensitive user credentials and compromise critical data, posing a significant threat to organizations and individuals across more than 50 countries.
The alarming campaign underscores a troubling evolution in phishing tactics, with cybercriminals exploiting the inherent trust users place in official-looking communications and the seemingly harmless PDF format.
Weaponized with malicious elements, the PDFs lure victims through social engineering techniques, manipulating them into opening the files and unknowingly putting their personal data at risk.
Mobile users are particularly vulnerable, as limited visibility into file contents before opening significantly amplifies the risk of falling victim to the attacks.
“Although USPS has no involvement, cybercriminals exploit its trusted name to mislead and target users,” said Nico Chiaraviglio, zLabs Chief Scientist at Zimperium.
“This campaign shows the growing sophistication and continued rise of mishing attacks, emphasizing the need for proactive mobile security measures,” Chiaraviglio added.
The investigation has uncovered over 20 malicious PDF files and an alarming 630 phishing pages, making this one of the largest mishing campaigns identified to date.
The attackers use these fraudulent documents to trick victims into revealing sensitive credentials, compromising both personal and enterprise data on a massive scale.
What distinguishes this campaign is its use of cutting-edge evasion techniques to bypass traditional endpoint security measures.
The newly discovered methods obscure malicious links within PDFs, enabling attackers to bypass defenses unnoticed. For mobile users—who often trust PDFs implicitly and may have limited ability to inspect their contents—the risk is even greater.
Zimperium also warns that the attackers are exploiting the very format many regard as safe and credible. The PDFs are crafted to appear legitimate, deceiving users into engaging with them and ultimately compromising their data.
Lines Of Defense
Your first line of defense in the battle against scams is always to scrutinize the sender’s details. Scammers are experts at impersonating trusted organizations like USPS, making subtle changes to phone numbers or email addresses just enough to make their messages look legitimate.
Official USPS communications always come from verified sources—so if something feels off, whether it’s the sender’s phone number or email, treat it with suspicion.
Too often, scammers count on these small alterations in sender info to fool recipients into believing their message is the real deal. But even if the sender checks out, that doesn’t guarantee the message is safe.
A favorite trick of scammers? Embedding malicious links that direct you to fake websites. Experts are clear on this: never click on any link in a suspicious message.
Instead, go directly to the official USPS website or open your trusted mobile app. That quick move could save you a mountain of trouble down the road.
And when it comes to PDFs, take extra caution. Scammers often disguise harmful code within seemingly official documents. Before you open any PDF, check its metadata.
It’s a simple step that can reveal inconsistencies or tampering. A quick inspection on your desktop or through a trusted PDF app can be your shield against falling for these deceptions.
Key Tips – Verifying Message Authenticity
When faced with potential SMS or PDF phishing attempts, especially those posing as trusted organizations like USPS, it’s critical to follow these best practices to safeguard your security:
- Scrutinize Sender Details: Always verify the sender’s phone number or email address. Official USPS messages come from a verified source, so if anything seems off, don’t trust it.
- Avoid Clicking on Links: Never click on suspicious links in messages. Instead, go directly to the official USPS website or use their official mobile app for any necessary actions. This way, you steer clear of being led to fraudulent sites.
- Inspect PDF Metadata: If a PDF is included in the message, take a moment to inspect its metadata. A quick check on a desktop or trusted app can reveal any odd or inconsistent details that suggest the document isn’t legitimate.
- Enable Security Tools: Fortify your defenses by enabling advanced mobile threat protection. These security solutions can detect and block phishing attempts before they even reach you, adding an extra layer of protection.
- Report Suspicious Activity: If you receive a questionable message claiming to be from USPS, don’t hesitate to report it. Visit the official USPS phishing page or contact their support directly to ensure the matter is investigated. Taking action can help protect not just you, but others as well.
Zimperium’s Key Findings:
- Campaign Scale: More than 20 malicious PDF files and 630 phishing pages uncovered, targeting organizations across 50+ countries.
- Innovative Evasion Techniques: Cutting-edge methods are being used to obscure malicious links, successfully bypassing traditional endpoint security measures.
- Critical Vulnerability: Scammers exploit mobile users’ trust in PDFs, making them a prime vector for attacks and posing a significant threat to enterprise security.
The discovery of this sophisticated mobile phishing campaign serves as a stark reminder of the evolving tactics cybercriminals use to exploit vulnerabilities in mobile security.
With the widespread use of PDFs and the inherent trust placed in official-looking communications, users and organizations alike must remain vigilant.
In 2024, Zimperium discovered a potent threat identified as the SMS Stealer. This malicious software, uncovered by Zimperium’s zLabs team during routine malware analysis, has been identified in over 105,000 samples, across more than 600 global brands
The mobile security market has experienced notable growth, projected to increase from $8.1 billion in 2024 to $9.85 billion in 2025, reflecting a compound annual growth rate (CAGR) of 21.6%.
