Clickbait PDFs Are the New Gateway for Web-Based Attacks

Researchers studied the infrastructure behind clickbait PDF attacks by analyzing a large dataset of real-world PDFs, identified clickbait PDFs, and used their cross-links to find the supporting infrastructure. 

The analysis showed that the attack spans multiple hosting categories, including object storage, website hosting, and CDNs. Attackers exploit vulnerabilities in various software components to upload clickbait PDFs. 

To mitigate the spread, researchers notified hosting providers about the malicious PDFs. While this takedown had some positive impact, it wasn’t long-lasting, suggesting that the underlying vulnerabilities were not addressed. 

 The interconnections between clickbait PDFs

The authors built a system named Grape to collect data on clickbait PDFs, which consists of multiple modules that analyze PDFs, URLs, and websites hosting the PDFs. 

The data is collected from two sources: a seed dataset of PDFs with clickbait characteristics and a main dataset built by following links in the seed dataset. 

Then use this data to investigate the types of infrastructure used to host clickbait PDFs, how attackers upload the PDFs, and the effectiveness of takedown requests, which can be used to improve methods for detecting and blocking clickbait PDFs. 

Grape modules and I/O data connections.

The study analyzed clickbait PDF hosting infrastructure to identify indicators of compromise (IoCs) by investigating the network properties of Seed DS backlinks to group similar web hosts. 

They categorized hosts into object storage, CDN, and website hosting based on observed characteristics, focusing on URLs hosting PDFs, revealing misconfigured S3 buckets with public read/write access. 

Outdated software components were more prevalent on undetermined hosting sites compared to website hosting, while it also identified plugins like CKFinder and KCFinder, known to have unrestricted file upload vulnerabilities, on many hosting sites. 

These findings suggest that a combination of misconfigured storage, outdated software, and vulnerable plugins creates an environment where attackers can upload clickbait PDFs. 

Example showing static resources residing on a
different domain 

Researchers analyzed clickbait PDF distribution across various hosting types, finding object storage to be most persistent. PDF clusters were identified and correlated with specific hosting types. 

According to the research, a notification campaign was conducted to address the issue, resulting in a significant reduction of online PDFs in the treatment group compared to the control. 

However, long-term analysis showed continued PDF uploads on notified hosts, indicating persistent attacker activity and a limited impact of the notification on overall host security. 

A 17-month study analyzed 177,835 hosts serving 4.6 million clickbait PDF links across object storage, CDN, and website hosting platforms, which maintained PDF distribution for an average of nine months, facilitated by six identified plugins, two web frameworks, and prevalent outdated software. 

A large-scale vulnerability notification led to a temporary reduction in online PDFs, but reuploads and partial cleanups limited its impact. While some hosts took significant action, the overall effect on the vast volume of clickbait PDFs remains constrained. 

Also Read:

Kaaviya
Kaaviyahttps://cyberpress.org/
Kaaviya is a Security Editor and fellow reporter with Cyber Press. She is covering various cyber security incidents happening in the Cyber Space.

Recent Articles

Related Stories

LEAVE A REPLY

Please enter your comment!
Please enter your name here