We previously reported independently on PDF-based phishing attacks skyrocketing and the rise of SEO attacks. A recent research study found that the combination of both is quite common. Most worryingly, PDF-based SEO attacks are poorly detected by common defense mechanisms such as blocklists, ad blockers or even crowdsourced antivirus services VirusTotal.
PDF-based attacks can be anything from a website embedded in a PDF file to an email. Attackers exploit any visual reminiscent of familiar interfaces to trick victims into believing they are visiting the real thing and not a PDF.
SEO attacks optimize combinations of keywords to “poison” SEO algorithms into ranking the malicious website, PDF file or any other link. Attackers may search the web for common but unsolved technical issues and mask their malware as the new solution. Other approaches leverage “data voids”, i.e., rare combinations of popular search terms. Any website using these terms will automatically rank high. Either way, the search results wait for victims to find them.
The combination of clickbait PDF and SEO attack is then not exactly surprising. It is yet another attack vector for social engineering attacks. A recent research study identifies Clickbait PDFs not only as attachments to phishing emails, but also lurking on popular search engines. The attacks come in two main flavors: credential phishing and malware downloads, both potentially wreaking havoc on individuals and organizations alike.
The researchers find that most clickbait PDFs in their dataset reside outside emails, and instead form large clusters. Notably, three prominent clusters have been detected: reCAPTCHA, ROBLOX Text, and ROBLOX Picture. These clusters require interconnected PDF files, forming intricate networks for distribution through SEO tactics.
While blocklists do provide a level of protection (up to 15%), they fall short of offering comprehensive security against this new breed of threats. Traditional ad blockers prove effective against malicious advertisements and data harvesting, but prove inadequate against other forms of attack. A significant portion of these clickbait clusters have also managed to evade detection by established antivirus solutions (e.g., VirusTotal). The researchers also suggest that these documents escape the security mechanisms of well-known hosting providers – Cloudflare, AWS and Google Cloud Platform.
Hence, we must empower people to spot social engineering attempts and act appropriately. It does not matter whether the attack is a phishing email or a clickbait PDF delivered through search engine results. The new attack pattern once more highlights the need for new-school security awareness training to enable humans as the last line of defense.
