2024-06-01
Conference: EURO SP
DOI: 10.1109/EuroSP60621.2024.00017
Clickbait PDFs serve as an entry point for various web attacks, often distributed via SEO poisoning to rank high in search results and massively uploaded to compromised websites. Despite the significant role of these hosting platforms in enabling the distribution of clickbait PDFs, little is known about the attackers' preferences for infrastructure, the duration of abuse, or how hosting services respond to such misuse. This paper provides a systematic study of the infrastructure supporting clickbait PDF campaigns, analyzing data from 4.6 million clickbait PDFs served by 177,835 hosts over 17 months. Our findings reveal that clickbait PDFs are hosted across different types of infrastructure, including Object Storage, Website Hosting, and CDN, and that attackers exploit vulnerable or outdated software to upload malicious files. The study also evaluates the impact of large-scale vulnerability notifications, observing limited long-term improvements, raising questions about the role of hosting providers in mitigating abuse.
This research focuses on the often-overlooked role of support infrastructure in the distribution of clickbait PDFs, which are used to facilitate attacks like phishing and malware downloads. The study tracks 4.6 million clickbait PDFs distributed by nearly 178,000 hosts and classifies the infrastructure into three main hosting types: Object Storage, Website Hosting, and CDN. A major aspect of the research was identifying eight outdated software components that facilitated file uploads, showing how these vulnerabilities are exploited. Despite a significant effort to notify hosting providers of their role in this abuse, the study found that the effectiveness of these notifications was limited, with most of the hosts reverting to the same behavior shortly after cleanup. The research highlights the need for more robust and proactive mitigation strategies to handle the abuse of legitimate hosting infrastructure for malicious campaigns.