In recent years, we’ve witnessed the rise of phishing attacks, where cybercriminals trick victims into clicking on malicious web links to harvest sensitive personal information. Building upon this tactic, a new form of attack has emerged known as “Mishing” — a cyber campaign specifically targeting mobile devices with phishing links, usually propagated through SMS or messaging apps like whatsapp, signal and telegram.
Zimperium, a leader in offering mobile security solutions, has uncovered a sophisticated mishing campaign where hackers impersonate the United States Postal Service (USPS) to target mobile users. Their zLabs threat research team has reported that malicious SMS messages are being sent to U.S. and a few UK based phone numbers. These messages typically contain a short URL that leads to a PDF file, which when opened, redirects users to a website designed to steal credentials and compromise personal data.
The crux of this attack is that many telecom service providers fail to adequately scan or provide visibility into the contents of attached PDF files, which leaves users vulnerable to threats like data breaches and credential theft. These malicious files often contain obfuscated code or scripts that execute when accessed, facilitating the download of malware or ransomware on the victim’s device.
It’s important to note that the United States Postal Service is in no way involved in this mishing campaign. The USPS is an innocent party, and the malicious links are purely a social engineering tactic used by the attackers to gain victim trust.
To counter such attacks, awareness is the most powerful defense. As with email security, users should exercise extreme caution when receiving unsolicited messages from unknown numbers, especially those containing links or attachments. The same best practices used to avoid phishing emails should be applied to mobile security. For instance, users should avoid clicking on any links that seem suspicious or come from unknown senders, and never open attachments unless they are absolutely sure of the source.
In summary, this mishing campaign targeting iPhone and Android users under the guise of USPS alerts is a growing threat, though the specifics of the scam — such as the sender’s identity or the phrasing of the message — may evolve over time. The attackers may attempt to deliver malware, drop a malicious payload, or further escalate their attack in a variety of ways. Keeping vigilant and adopting a proactive stance toward mobile security will be key in defending against these increasingly sophisticated threats.
