Saturday, September 7, 2024
HomeCyber AttackClickbait PDFs, An Entry point For Multiple Web Based Attacks

Clickbait PDFs, An Entry point For Multiple Web Based Attacks

Published on

Researchers studied the infrastructure behind clickbait PDF attacks by analyzing a large dataset of real-world PDFs to identify clickbait ones and their linked infrastructure and found that attackers use various hosting types, including object storage, website hosting, and CDNs. 

The attackers exploit vulnerabilities in outdated software components to upload malicious PDFs, while researchers also investigated mitigation strategies and notified hosting providers about the malicious PDFs. 

While this takedown effort had positive results initially, most providers didn’t address the underlying vulnerabilities, allowing attackers to upload new clickbait PDFs soon after.  

- Advertisement - EHA
The interconnections between clickbait PDFs

Clickbait PDFs are malicious PDFs that use SEO techniques to rank highly in search results and lead users to phishing attacks

The authors investigate the infrastructure that supports these clickbait PDFs by identifying four research questions: (1) what types of hosting services are used; (2) how attackers upload the PDFs; (3) how long the PDFs stay online and how many there are; and (4) how effective it is to report the abuse to the hosting providers. 

Are you from SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Get 14 Days Free Access

To answer these questions, they create two datasets of clickbait PDFs, one for initial analysis and one for real-time monitoring, by comparing their work to a previous study and highlighting their contributions, which include a larger dataset, a new way to track active clickbait PDFs, and a machine learning model for data analysis. 

Grape modules and I/O data connections.

A system named Grape was used to collect and analyze clickbait PDFs, which consists of multiple modules that work together to achieve this goal. Initially, the PDF Analysis Module extracted URLs and metadata from the PDFs. 

Then, the PDF Status Check module verifies if the URLs are still online, and the analysis module retrieves DNS records and WHOIS information for the extracted URLs. 

It identifies vulnerable or misconfigured software components on the servers. Finally, the Clustering Module groups clickbait PDFs together based on the visual similarity of their first page.

The researchers analyzed clickbait PDF hosting infrastructure by looking at the network properties of URLs and found that most PDFs reside on website hosting, CDN, and object storage services. 

Example showing static resources residing on a
different domain

They investigated indicators of compromise (IoCs) for each type. For object storage, they analyzed Access Control Lists (ACLs) and found that many buckets have weak permissions. 

For website hosting and undetermined hosting, they looked for outdated software, vulnerable components, and software facilitating file upload by identifying many outdated components and plugins with unrestricted file upload vulnerabilities.  

According to Paper, blocklists like VirusTotal and Google SafeBrowsing offer limited protection against clickbait PDFs, with low detection rates and infrequent blocking. 

While this led to a significant initial reduction in online PDFs, the long-term impact is limited due to persistent attacker activity and incomplete remediation by hosts.

Many affected parties acknowledged the issue but only partially addressed it, indicating a need for improved security practices and potentially more proactive countermeasures. 

Download Free Cybersecurity Planning Checklist for SME Leaders (PDF) – Free Download

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

BBTok Abuses Legitimate Windows Utility Command Tool to Stay Undetected

Cybercriminals in Latin America have increased their use of phishing scams targeting business transactions...

Predator Spyware Exploiting “one-click” & “zero-click” Flaws

Recent research indicates that the Predator spyware, once thought to be inactive due to...

Tropic Trooper Attacks Government Organizations to Steal Sensitive Data

Tropic Trooper (aka KeyBoy, Pirate Panda, and APT23) is a sophisticated cyberespionage APT group,...

NoiseAttack is a Novel Backdoor That Uses Power Spectral Density For Evasion

NoiseAttack is a new method of secretly attacking deep learning models. It uses triggers...

Free Webinar

Decoding Compliance | What CISOs Need to Know

Non-compliance can result in substantial financial penalties, with average fines reaching up to $4.5 million for GDPR breaches alone.

Join us for an insightful panel discussion with Chandan Pani, CISO - LTIMindtree and Ashish Tandon, Founder & CEO – Indusface, as we explore the multifaceted role of compliance in securing modern enterprises.

Discussion points

The Role of Compliance
The Alphabet Soup of Compliance
Compliance
SaaS and Compliance
Indusface's Approach to Compliance

More like this

Predator Spyware Exploiting “one-click” & “zero-click” Flaws

Recent research indicates that the Predator spyware, once thought to be inactive due to...

SonicWall Access Control Vulnerability Exploited in the Wild

SonicWall has issued an urgent advisory regarding a critical vulnerability in its SonicOS management...

Apache OFBiz for Linux & Windows Vulnerability Allows Unauthenticated Remote Code Execution

A series of vulnerabilities affecting Apache OFBiz has come to light, raising significant cybersecurity...