Send email Copy Email Address


Episode 29 of CISPA TL;DR is online: Giada Stivala talks about Clickbait PDFs

Clickbait PDFs are even worse than Clickbait headlines: they are a new type of phishing attack, first studied by CISPA researcher and PHD candidate Giada Stivala and her colleagues. These PDF files don’t contain any malware per se – instead they try to coax users into clicking somewhere in the file, thus leading to malicious web pages that could potentially steal their data. In this episode of TL;DR, Giada Stivala talks about how she scoured hacker forums to get to the bottom of these attacks and what the road from discovery to a finished research paper looks like.

Clickbait PDFs are a perfect example of the proverbial cybersecurity „cat-and-mouse game”: hackers think of new attacks and deploy them, cybersecurity researchers develop countermeasures to stop the attacks, hackers in turn work around the countermeasures, continuing the cycle ad infinitum. As email clients get better at detecting and sorting out phishing mails and web browsers block malicious web pages more effectively, scammers are looking for new ways to steal data from unsuspecting users. “These protection mechanisms work pretty well, so attackers have to be ahead of the system and try not to be detected”, says Giada Stivala.

Clickbait PDFs are such a new way to get ahead of the curve. As these files itself are, code-wise, indistinguishable from benign PDF files, normal detection mechanisms fall short of detecting their malicious intent. Looking like innocent PDF files to search engines, they are ordinarily ranked in search results. Users looking for a specific file, such as a printer user manual, might encounter a Clickbait PDF with a simple search query. Without even realizing they are already looking at a PDF file, they are then enticed to click somewhere in the file, for example by the file mimicking a captcha form, asking to identify the user as human. A single click is then enough to lead users to so-called “attack web pages” that might compromise their device or prompt them to give away more of their data. These pages are similar to what users would encounter in a more traditional phishing scheme. That is not unusual, as the challenge for scammers often is to get users to even access their malicious web pages in the first place. “In a sense, the part after the PDF file does not change. But the PDF itself introduces a novelty, because it is harder to defend against”, says Stivala. And just like that, a new round of the “cat-and-mouse-game” has started with the introduction of Clickbait PDFs.

To find out how this “cat-and-mouse game” continues and how to protect your data against this new type of attack, listen to the latest episode of CISPA TL;DR. Available now!

TL;DR, short for "Too Long Didn't' Read," is the name of our CISPA podcast, with "Women in Cybersecurity" as a special edition. It has been on the air since 2022, and it's available on all major podcast platforms. Each month, we talk to CISPA researchers about their work on cybersecurity issues and artificial intelligence, and try to ask them the exact questions that listeners are asking themselves. Our goal is to explain complex topics in simple language. As people from 43 nations work at CISPA, the conversations are recorded in German and English, alternating between the two languages.