Scammers Target Users with PDFs and SMS, Warns Zimperium

Researchers from Zimperium have identified two phishing campaigns that use reputable names like PayPal and EZDriveMA to steal mobile users' financial data. The attacks, occurring between February and April 2025, distribute malicious PDF documents via SMS and MMS, exploiting users' trust in text messages.

The EZDriveMA campaign generated around 2,145 malicious domains quickly, while the PayPal attack combines digital phishing and vishing, or voice phishing. Research shows that traditional security solutions took up to 27 hours longer than artificial intelligence systems to detect these threats.

EZDriveMA: Fake Tolls and Rotating Infrastructure

The EZDriveMA attack starts with a message containing a PDF that resembles an official notification about overdue tolls. This document includes logos and formatting designed to look legitimate. Inside the PDF, a link redirects the victim to a fake site, collecting credentials and personal data.

This strategy is marked by the rapid creation of malicious infrastructure, with 2,145 domains generated in two months. Analyzed patterns show the use of domain generation algorithms (DGA), where two prefixes dominate. The speed of domain rotation renders traditional blocking solutions ineffective.

Attractive due to its large user base, EZDriveMA benefits from the urgency created by potential fines, facilitating manipulation.

PayPal Campaign: Double Vector and Social Engineering

The campaign pretending to be from PayPal adopts a more complex approach. A PDF simulates a Bitcoin purchase for $480.11, creating a sense of urgency. Users are induced to cancel the charge through two channels: a link to customer service and a phone number.

Both actions are traps. The link leads to a fake page that collects data, while the call connects users to scammers, who use social engineering to extract confidential information, including credit card details.

The technical infrastructure reveals obfuscation mechanisms, including the use of URL shortening services to mask final destinations and bypass security tools. The collection system allows mapping victims and assessing the campaign's effectiveness.

The effectiveness of the attacks lies in the combination of urgency, professional appearance, and distribution via SMS, which is viewed quickly by users.

Critical Detection Gap

A study compared detection times between artificial intelligence systems and public databases. The difference of up to three days demonstrated the superiority of AI, which identifies malicious patterns in real-time, while public lists rely on victim reports.

The use of behavioral detections has proven effective in identifying threats before they are cataloged as malicious, showing the necessary speed to protect users.

Why PDFs as Vectors?

PDFs offer both technical and psychological advantages for attackers. Their technical structure allows malicious URLs to be hidden through complexity, while psychologically, they are accepted in professional contexts and rarely questioned by users.

Distribution via SMS exacerbates this situation since messages are opened within minutes, generating a false sense of security.

Lack of Protection on the Channel

Most security solutions still do not provide effective analysis for files sent via SMS/MMS. Despite advancements in message filtering systems, few adequately check PDF attachments, resulting in a blind spot.

Organizations typically implement VPNs and firewalls, but these defenses do not protect mobile devices when users access personal messages outside the corporate network.

Documented Attack Flow

The campaigns are divided into three stages. The first involves sending text messages with fraudulent messages, such as toll notices or invoices. In the second, users open convincing documents. Finally, the links redirect to fake credential collection systems or lead to calls where social engineering is applied.

Precision Rate and Speed

The analysis classified 2,145 new domains with a precision of 98.46%. The detection combines real-time protection and proactive classification, allowing for domain mapping before users are affected. Each hour of advantage represents a decrease in the number of potential victims, highlighting the importance of advanced technologies in this cybersecurity scenario.