Uncovering the Role of Support Infrastructure in Clickbait PDF Campaigns

TL;DR

This study analyzes the infrastructure behind clickbait PDFs used in web attacks, revealing diverse hosting types, exploited software components, and limited long-term impact of abuse notifications.

Contribution

It provides the first large-scale real-time analysis of hosting infrastructure and software components involved in clickbait PDF campaigns, highlighting challenges in abuse mitigation.

Findings

Hosts are diverse and fall into three main types.

Eight software components are exploited for PDF uploads.

Vulnerability notifications have limited long-term impact.

Abstract

Clickbait PDFs, an entry point for multiple Web attacks, are distributed via SEO poisoning and rank high in search results due to being massively uploaded on abused or compromised websites. The central role of these hosts in the distribution of clickbait PDFs remains understudied, and it is unclear whether attackers differentiate the types of hosting for PDF uploads, how long they rely on hosts, and how affected parties respond to abuse. To address this, we conducted real-time analyses on hosts, collecting data on 4,648,939 clickbait PDFs served by 177,835 hosts over 17 months. Our results revealed a diverse infrastructure, with hosts falling into three main hosting types. We also identified at scale the presence of eight software components which facilitate file uploads and which are likely exploited for clickbait PDF distribution. We contact affected parties to report the misuse of their resources via a large-scale vulnerability notification. While we observed some effectiveness in terms of number of cleaned-up PDFs following the notification, long-term improvement in this infrastructure remained insignificant. This finding raises questions about the hosting providers' role in combating abuse and the actual impact of vulnerability notifications.