Researchers studied the infrastructure behind clickbait PDF attacks by analyzing a large dataset of real-world PDFs to identify clickbait ones and their linked infrastructure and found that attackers use various hosting types, including object storage, website hosting, and CDNs.
The attackers exploit vulnerabilities in outdated software components to upload malicious PDFs, while researchers also investigated mitigation strategies and notified hosting providers about the malicious PDFs.
While this takedown effort had positive results initially, most providers didn’t address the underlying vulnerabilities, allowing attackers to upload new clickbait PDFs soon after. Â
Clickbait PDFs are malicious PDFs that use SEO techniques to rank highly in search results and lead users to phishing attacks.Â
The authors investigate the infrastructure that supports these clickbait PDFs by identifying four research questions: (1) what types of hosting services are used; (2) how attackers upload the PDFs; (3) how long the PDFs stay online and how many there are; and (4) how effective it is to report the abuse to the hosting providers.
Are you from SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Get 14 Days Free Access
To answer these questions, they create two datasets of clickbait PDFs, one for initial analysis and one for real-time monitoring, by comparing their work to a previous study and highlighting their contributions, which include a larger dataset, a new way to track active clickbait PDFs, and a machine learning model for data analysis.
A system named Grape was used to collect and analyze clickbait PDFs, which consists of multiple modules that work together to achieve this goal. Initially, the PDF Analysis Module extracted URLs and metadata from the PDFs.
Then, the PDF Status Check module verifies if the URLs are still online, and the analysis module retrieves DNS records and WHOIS information for the extracted URLs.
It identifies vulnerable or misconfigured software components on the servers. Finally, the Clustering Module groups clickbait PDFs together based on the visual similarity of their first page.
The researchers analyzed clickbait PDF hosting infrastructure by looking at the network properties of URLs and found that most PDFs reside on website hosting, CDN, and object storage services.
different domain
They investigated indicators of compromise (IoCs) for each type. For object storage, they analyzed Access Control Lists (ACLs) and found that many buckets have weak permissions.
For website hosting and undetermined hosting, they looked for outdated software, vulnerable components, and software facilitating file upload by identifying many outdated components and plugins with unrestricted file upload vulnerabilities.
According to Paper, blocklists like VirusTotal and Google SafeBrowsing offer limited protection against clickbait PDFs, with low detection rates and infrequent blocking.Â
While this led to a significant initial reduction in online PDFs, the long-term impact is limited due to persistent attacker activity and incomplete remediation by hosts.
Many affected parties acknowledged the issue but only partially addressed it, indicating a need for improved security practices and potentially more proactive countermeasures.
Download Free Cybersecurity Planning Checklist for SME Leaders (PDF) – Free Download
