From Attachments to SEO: Click Here to Learn More about Clickbait PDFs!

2023-10-01

Conference: ACSAC

Authors: Giada Stivala, Sahar Abdelnabi, Andrea Mengascini, Mariano Graziano, Mario Fritz, Giancarlo Pellegrino

DOI: 10.1145/3627106.3627172

Abstract

Clickbait PDFs are PDF documents that do not embed malware but instead trick victims into visiting malicious web pages, leading to attacks like password theft or drive-by downloads. While recent reports indicate a surge of clickbait PDFs, prior works have largely neglected this new threat, viewing PDFs only as accessories of email phishing campaigns. This paper investigates the landscape of clickbait PDFs and presents the first systematic and comprehensive study of this phenomenon. We identify and characterize 44 clickbait PDF clusters using a real-world dataset, focusing on their volumetric, temporal, and visual features. Our findings reveal that clickbait PDFs are a new and prevalent threat, distributed not only as email attachments but also via Search Engine Optimization (SEO) attacks, making them largely undetectable by content-based filtering or detection methods.

Summary

This study dives into the phenomenon of clickbait PDFs, documents designed not to directly harm users through malware, but to trick them into clicking on links that lead to attacks like credential theft or drive-by downloads. Starting from a dataset of over 176,000 PDFs, we identified 44 distinct clusters, of which three major ones accounted for the bulk of malicious activity. Unlike typical phishing PDFs that are delivered via email, many of these clickbait PDFs rely on SEO attacks to reach victims, spreading outside the traditional email ecosystem and evading common detection systems. The study highlights the lack of adequate defenses against these attacks, showing the low efficacy of systems like VirusTotal in flagging these PDFs. Additionally, the study provides insights into the visual tricks used by attackers, such as mimicking web UI elements to deceive users into interacting with the malicious content.