Saturday, January 25, 2025
HomeCyber AttackClickbait PDFs, An Entry point For Multiple Web Based Attacks

Clickbait PDFs, An Entry point For Multiple Web Based Attacks

Published on

SIEM as a Service

Follow Us on Google News

Researchers studied the infrastructure behind clickbait PDF attacks by analyzing a large dataset of real-world PDFs to identify clickbait ones and their linked infrastructure and found that attackers use various hosting types, including object storage, website hosting, and CDNs. 

The attackers exploit vulnerabilities in outdated software components to upload malicious PDFs, while researchers also investigated mitigation strategies and notified hosting providers about the malicious PDFs. 

While this takedown effort had positive results initially, most providers didn’t address the underlying vulnerabilities, allowing attackers to upload new clickbait PDFs soon after.  

The interconnections between clickbait PDFs

Clickbait PDFs are malicious PDFs that use SEO techniques to rank highly in search results and lead users to phishing attacks. 

The authors investigate the infrastructure that supports these clickbait PDFs by identifying four research questions: (1) what types of hosting services are used; (2) how attackers upload the PDFs; (3) how long the PDFs stay online and how many there are; and (4) how effective it is to report the abuse to the hosting providers. 

Are you from SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Get 14 Days Free Access

To answer these questions, they create two datasets of clickbait PDFs, one for initial analysis and one for real-time monitoring, by comparing their work to a previous study and highlighting their contributions, which include a larger dataset, a new way to track active clickbait PDFs, and a machine learning model for data analysis. 

Grape modules and I/O data connections.

A system named Grape was used to collect and analyze clickbait PDFs, which consists of multiple modules that work together to achieve this goal. Initially, the PDF Analysis Module extracted URLs and metadata from the PDFs. 

Then, the PDF Status Check module verifies if the URLs are still online, and the analysis module retrieves DNS records and WHOIS information for the extracted URLs. 

It identifies vulnerable or misconfigured software components on the servers. Finally, the Clustering Module groups clickbait PDFs together based on the visual similarity of their first page.

The researchers analyzed clickbait PDF hosting infrastructure by looking at the network properties of URLs and found that most PDFs reside on website hosting, CDN, and object storage services. 

Example showing static resources residing on a
different domain

They investigated indicators of compromise (IoCs) for each type. For object storage, they analyzed Access Control Lists (ACLs) and found that many buckets have weak permissions. 

For website hosting and undetermined hosting, they looked for outdated software, vulnerable components, and software facilitating file upload by identifying many outdated components and plugins with unrestricted file upload vulnerabilities.  

According to Paper, blocklists like VirusTotal and Google SafeBrowsing offer limited protection against clickbait PDFs, with low detection rates and infrequent blocking. 

While this led to a significant initial reduction in online PDFs, the long-term impact is limited due to persistent attacker activity and incomplete remediation by hosts.

Many affected parties acknowledged the issue but only partially addressed it, indicating a need for improved security practices and potentially more proactive countermeasures. 

Download Free Cybersecurity Planning Checklist for SME Leaders (PDF) – Free Download

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Subaru’s STARLINK Connected Car’s Vulnerability Let Attackers Gain Restricted Access

In a groundbreaking discovery on November 20, 2024, cybersecurity researchers Shubham Shah and a...

Android Kiosk Tablets Vulnerability Let Attackers Control AC & Lights

A security flaw found in Android-based kiosk tablets at luxury hotels has exposed a...

CISA Releases Six ICS Advisories Details Security Issues

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued six Industrial Control Systems (ICS)...

Juniper Routers Exploited via Magic Packet Vulnerability to Deploy Custom Backdoor

A sophisticated cyber campaign dubbed "J-magic" has been discovered targeting enterprise-grade Juniper routers with...

API Security Webinar

Free Webinar - DevSecOps Hacks

By embedding security into your CI/CD workflows, you can shift left, streamline your DevSecOps processes, and release secure applications faster—all while saving time and resources.

In this webinar, join Phani Deepak Akella ( VP of Marketing ) and Karthik Krishnamoorthy (CTO), Indusface as they explores best practices for integrating application security into your CI/CD workflows using tools like Jenkins and Jira.

Discussion points

Automate security scans as part of the CI/CD pipeline.
Get real-time, actionable insights into vulnerabilities.
Prioritize and track fixes directly in Jira, enhancing collaboration.
Reduce risks and costs by addressing vulnerabilities pre-production.

More like this

Subaru’s STARLINK Connected Car’s Vulnerability Let Attackers Gain Restricted Access

In a groundbreaking discovery on November 20, 2024, cybersecurity researchers Shubham Shah and a...

CISA Releases Six ICS Advisories Details Security Issues

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued six Industrial Control Systems (ICS)...

Juniper Routers Exploited via Magic Packet Vulnerability to Deploy Custom Backdoor

A sophisticated cyber campaign dubbed "J-magic" has been discovered targeting enterprise-grade Juniper routers with...