Just imagine: You’ve missed the deadline for your tax declaration. You open up your favorite search engine and type in the name of the tax form you’re looking for. Annoyed and in a hurry, you click on the first PDF the search engine spits out. A captcha appears, instructing you to confirm you’re not a robot. You try to tick the box, but suddenly you’re redirected to a web page that gives you all sorts of pop-ups, none of them looking very reassuring. With some bad luck, your device might now be infected. You have fallen prey to a Clickbait PDF, a new type of phishing scam that aims to steal your data.
The latest phishing scam, disguised as a PDF
Clickbait PDFs are a perfect example of the proverbial cybersecurity „cat-and-mouse game”: Hackers think of new attacks and deploy them, cybersecurity researchers develop countermeasures to stop the attacks, hackers in turn work around the countermeasures, continuing the cycle ad infinitum. Phishing scams themselves are nothing new – most users have probably encountered them in the form of sketchy emails that claim to be from their bank, asking them to enter login credentials or prompting them to visit sketchy websites that can infect their device. But as email clients get better at detecting and sorting out phishing mails, and web browsers block malicious web pages more effectively, scammers are looking for new ways to steal user data. “These existing protection mechanisms work pretty well, so attackers have to be ahead of the system and try not to be detected”, says Giada Stivala, PhD candidate and researcher at CISPA. Stivala and her colleagues were the first to study Clickbait PDFs in-depth in a paper that was published at the 2023 ACSAC Conference in Austin, Texas.
Clickbait PDFs bypass detection mechanisms
With the introduction of Clickbait PDFs, scammers have found a new way to get ahead of the curve. “PDFs were already known to represent a threat to users, but these PDFs then contained malware”, says Giada Stivala. These files were usually emailed to users, and if opened, they would run code that infected user devices. As this kind of attack is already well-known and studied, malware scanners have gotten quite adept at catching them and warning users. Clickbait PDFs, however, do not contain malware. Code-wise, they are indistinguishable from benign PDF files, such as a genuine tax declaration form. As normal detection mechanisms fall short of detecting their malicious intent, they can be listed in ordinary search results. Users looking for a specific file, such as a manual for a printer, might thus encounter a Clickbait PDF with a simple search query, Stivala explains.
Designed to “steal your click”
Giada Stivala and her colleagues were first approached by an industry contact working with large amounts of customer data, whose scanners had suddenly registered an uptick in PDF files. As these PDFs did not contain any malware, their purpose was unclear. Investigating these files, Stivala encountered a plethora of different scams: for example, PDFs pretending to be video players, streaming the newest movies for free or even promising free Bitcoin with just one click. The files are designed to “steal your click”, as Stivala puts it. Scammers leverage the fact that all common browsers have integrated PDF support nowadays, so a PDF opens similarly to a regular webpage. Unsuspecting users might not even realize the difference between looking at a PDF or a webpage inside their browser. A single click inside one of these PDFs is enough to lead users to so-called “attack web pages” that might compromise their devices and data. These pages are similar to what users would encounter in a more traditional phishing scheme via email, as the challenge for scammers often is to get users to even access their malicious web pages in the first place. “In a sense, the part after the PDF file does not change. But the PDF itself introduces a novelty, because it is harder to defend against”, Stivala says.
SEO poisoning fuels clickbaiting attacks
To make sure that people actually encounter their Clickbait PDFs in the wild, scammers employ what is called “Black Hat Search Engine Optimization (SEO)” or “SEO Poisoning”. “Search Engine Optimization per se is not bad. It can be used for entirely ethical and legal reasons”, Stivala says. It is essentially a method of optimizing a web page to make sure it is ranked high in search results. A company might do this for marketing reasons, for example. In SEO poisoning, however, malicious webpages are optimized to be ranked higher even though they are either irrelevant to the user’s search query or downright dangerous to their devices. This works, for instance, by including tons of keywords in a page. If a user is searching where to stream a movie for free, including keywords such as the name of the movie would make the page rank higher. Even worse, scammers managed to upload their PDFs to servers of legitimate websites that were insufficiently secured but had a “good reputation”, such as pages of local businesses or schools. Because these sites do not appear to be malicious, search engines ranked these files higher in the search results. And because malware scanners did not flag the files as malicious, affected website providers were not alerted for the most part. “They didn’t even realize that these files were on their servers before we notified Anti-Phishing-entities and website owners”, Stivala says.
User awareness is the best protection
After the research team from CISPA notified these entities, things seem to have improved and less of these Clickbait PDFs are featuring among search results. Giada Stivala is currently working on a follow-up study to see how big this threat still is. Until then, what is the best way for users to protect themselves from this type of attack? “There is no silver bullet”, Stivala says. “These attacks exploit what is called the weak link in the system, which is usually the human.” Users can start by paying attention to tiny clues, such as the URL in the browser showing a PDF where there should be a normal webpage. And in general, users should be aware that if something seems too good to be true, such as the latest movies being streamed for free or a webpage gifting you free bitcoin, they’re probably looking at a phishing scam. That goes for webpages as well as for PDFs.
