A new phishing scam targeting mobile devices was observed using a “never-before-seen” obfuscation method to hide links to spoofed United States Postal Service (USPS) pages inside PDF files, Zimperium reported Monday.
The method manipulates elements of the Portable Document Format (PDF) to make clickable URLs appear invisible to both the user and mobile security systems, which would normally extract links from PDFs by searching for the “/URI” tag.
“Our researchers verified that this method enabled known malicious URLs within PDF files to bypass detection by several endpoint security solutions. In contrast, the same URLs were detected when the standard /URI tag was used,” Zimperium Malware Researcher Fernando Ortega wrote in a blog post.
The post explained how PDF files are made up of different “objects” — such as strings, arrays, dictionaries and streams — which provide the blueprint for how PDF-viewing software will load and display content. The attackers send the malicious PDFs via SMS text messages under the guise of providing instructions to retrieve a USPS package that failed to deliver.
Ordinarily, hyperlinks would be displayed in a PDF file via a “Go-To-URI” action dictionary object, which includes the /URI tag followed by a string (i.e. the URL). However, in the PDF sent through the SMS text phishing campaign, links are instead embedded as part of a compressed stream item that provides instructions for the PDF viewer to render clickable text.
These instructions not only bypass the use of the conspicuous Go-To-URI action, but also hide the suspicious URL from view by setting the font color to be the same as the background color and moving the text to the same position where an image is set to load as an external object (XObject).
The link is even further obfuscated through the use of a font object that references a custom table mapping character IDs to different Unicode values than they would normally correlate to. As the stream object instructs the PDF viewer to use this font object to render the URL text, the text loads as a string of Unicode characters that appear different from the URL the text actually links to.
Instead of the clickable text URL the targeted user would see the XObject image of a “Click Update” button rendered on top of it. Attempting to tap the button would click on the link hidden underneath, directing the user to a spoofed USPS website.
The phishing websites first displays a form for the victim provide their mailing address, email address and telephone number, and then asks for credit card information to pay a $0.30 “service fee” for redelivery of the supposed package. The provided information is encrypted via the Rabbit stream cipher and transmitted to the attacker’s command-and-control server.
Zimperium identified more than 20 versions of the malicious PDF files and 630 phishing pages associated with the scam operation. The phishing pages were also found to support 50 languages, suggestion international targeting and possible use of a phishing kit.
Users’ trust in the PDF file format and the limited ability of mobile users to view information about a file prior to opening it increase the risk of such phishing campaigns, Zimperium noted.
“While organizations have robust email security, the critical tension between Finance, HR, and Technology teams around mobile devices has created a significant and dangerous gap in protection, leading to underinvestment in web and mobile messaging security despite these becoming primary attack vectors,” Stephen Kowski, field CTO of SlashNext Email Security+, told SC Media in an email. “Organizations must expand their security strategy beyond email to include comprehensive protection for mobile messaging and web-based messaging threats.”
