From Attachments to SEO: Click Here to Learn More about Clickbait PDFs!

TL;DR

This paper provides the first comprehensive analysis of clickbait PDFs, revealing their characteristics, distribution methods, and the challenges they pose to detection systems, highlighting a significant emerging cybersecurity threat.

Contribution

It systematically studies clickbait PDFs, identifying key clusters and features, and uncovers their distribution beyond email, emphasizing the need for new detection strategies.

Findings

Three large clusters account for 89% of clickbait PDFs.

Clickbait PDFs differ significantly from traditional phishing in volumetric and temporal features.

Current detection systems have limited effectiveness against clickbait PDFs.

Abstract

Clickbait PDFs are PDF documents that do not embed malware but trick victims into visiting malicious web pages leading to attacks like password theft or drive-by download. While recent reports indicate a surge of clickbait PDFs, prior works have largely neglected this new threat, considering PDFs only as accessories of email phishing campaigns. This paper investigates the landscape of clickbait PDFs and presents the first systematic and comprehensive study of this phenomenon. Starting from a real-world dataset, we identify 44 clickbait PDF clusters via clustering and characterize them by looking at their volumetric, temporal, and visual features. Among these, we identify three large clusters covering 89% of the dataset, exhibiting significantly different volumetric and temporal properties compared to classical email phishing, and relying on web UI elements as visual baits. Finally, we look at the distribution vectors and show that clickbait PDFs are not only distributed via attachments but also via Search Engine Optimization attacks, placing clickbait PDFs outside the email distribution ecosystem. Clickbait PDFs seem to be a lurking threat, not subjected to any form of content-based filtering or detection: AV scoring systems, like VirusTotal, rank them considerably low, creating a blind spot for organizations. While URL blocklists can help to prevent victims from visiting the attack web pages, we observe that they have a limited coverage.