CISPA
Browse
- No file added yet -

From Attachments to SEO: Click Here to Learn More about Clickbait PDFs!

Download (1.08 MB)
conference contribution
posted on 2024-03-05, 12:20 authored by Stivala, Giada, Sahar Abdelnabi, Andrea MengasciniAndrea Mengascini, Graziano, Mariano, Mario FritzMario Fritz, Giancarlo PellegrinoGiancarlo Pellegrino
Clickbait PDFs are PDF documents that do not embed malware but trick victims into visiting malicious web pages leading to attacks like password theft or drive-by download. While recent reports indicate a surge of clickbait PDFs, prior works have largely neglected this new threat, considering PDFs only as accessories of email phishing campaigns. This paper investigates the landscape of clickbait PDFs and presents the first systematic and comprehensive study of this phenomenon. Starting from a real-world dataset, we identify 44 clickbait PDF clusters via clustering and characterize them by looking at their volumetric, temporal, and visual features. Among these, we identify three large clusters covering 89% of the dataset, exhibiting significantly different volumetric and temporal properties compared to classical email phishing, and relying on web UI elements as visual baits. Finally, we look at the distribution vectors and show that clickbait PDFs are not only distributed via attachments but also via Search Engine Optimization attacks, placing clickbait PDFs outside the email distribution ecosystem. Clickbait PDFs seem to be a lurking threat, not subjected to any form of content-based filtering or detection: AV scoring systems, like VirusTotal, rank them considerably low, creating a blind spot for organizations. While URL blocklists can help to prevent victims from visiting the attack web pages, we observe that they have a limited coverage.

History

Preferred Citation

Giada Stivala, Sahar Abdelnabi, Andrea Mengascini, Mariano Graziano, Mario Fritz, Giancarlo Pellegrino. From Attachments to SEO: Click Here to Learn More about Clickbait PDFs!. In: ACSAC '23. 2023.

Primary Research Area

  • Trustworthy Information Processing

Name of Conference

Annual Computer Security Applications Conference (ACSAC)

Legacy Posted Date

2023-11-20

Pages

15,0

Open Access Type

  • CC

BibTeX

@inproceedings{cispa_all_4052, author = {Giada Stivala AND Sahar Abdelnabi AND Andrea Mengascini AND Mariano Graziano AND Mario Fritz AND Giancarlo Pellegrino}, title = {From Attachments to SEO: Click Here to Learn More about Clickbait PDFs!}, booktitle = {ACSAC '23}, year = {2023} }

Usage metrics

    Categories

    No categories selected

    Licence

    Exports

    RefWorks
    BibTeX
    Ref. manager
    Endnote
    DataCite
    NLM
    DC