Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Uncovering the Role of Support Infrastructure in Clickbait PDF Campaigns

Giada Stivala, Gianluca De Stefano, Andrea Mengascini, Mariano Graziano, Giancarlo Pellegrino

TL;DR

The paper analyzes clickbait PDFs distributed via SEO-poisoning to understand the hosting infrastructure that enables their widespread distribution. Using a data-driven, real-time approach with Seed and Main datasets and the Grape pipeline, it identifies three hosting types, eight upload-related components, and substantial indicators of compromise, while evaluating mitigation via large-scale vulnerability notifications. The study shows that while short-term remediation of online PDFs improves with notifications, long-term reductions are limited, revealing a persistent, exploitable hosting ecosystem and prompting consideration of broader defense strategies beyond blocklists. The findings highlight the role of hosting providers, outdated software, and common upload vectors in sustaining clickbait PDF campaigns, underscoring the need for ongoing collaboration with affected parties and improved upstream defenses to curb this threat.

Abstract

Clickbait PDFs, an entry point for multiple Web attacks, are distributed via SEO poisoning and rank high in search results due to being massively uploaded on abused or compromised websites. The central role of these hosts in the distribution of clickbait PDFs remains understudied, and it is unclear whether attackers differentiate the types of hosting for PDF uploads, how long they rely on hosts, and how affected parties respond to abuse. To address this, we conducted real-time analyses on hosts, collecting data on 4,648,939 clickbait PDFs served by 177,835 hosts over 17 months. Our results revealed a diverse infrastructure, with hosts falling into three main hosting types. We also identified at scale the presence of eight software components which facilitate file uploads and which are likely exploited for clickbait PDF distribution. We contact affected parties to report the misuse of their resources via a large-scale vulnerability notification. While we observed some effectiveness in terms of number of cleaned-up PDFs following the notification, long-term improvement in this infrastructure remained insignificant. This finding raises questions about the hosting providers' role in combating abuse and the actual impact of vulnerability notifications.

Uncovering the Role of Support Infrastructure in Clickbait PDF Campaigns

TL;DR

The paper analyzes clickbait PDFs distributed via SEO-poisoning to understand the hosting infrastructure that enables their widespread distribution. Using a data-driven, real-time approach with Seed and Main datasets and the Grape pipeline, it identifies three hosting types, eight upload-related components, and substantial indicators of compromise, while evaluating mitigation via large-scale vulnerability notifications. The study shows that while short-term remediation of online PDFs improves with notifications, long-term reductions are limited, revealing a persistent, exploitable hosting ecosystem and prompting consideration of broader defense strategies beyond blocklists. The findings highlight the role of hosting providers, outdated software, and common upload vectors in sustaining clickbait PDF campaigns, underscoring the need for ongoing collaboration with affected parties and improved upstream defenses to curb this threat.

Abstract

Clickbait PDFs, an entry point for multiple Web attacks, are distributed via SEO poisoning and rank high in search results due to being massively uploaded on abused or compromised websites. The central role of these hosts in the distribution of clickbait PDFs remains understudied, and it is unclear whether attackers differentiate the types of hosting for PDF uploads, how long they rely on hosts, and how affected parties respond to abuse. To address this, we conducted real-time analyses on hosts, collecting data on 4,648,939 clickbait PDFs served by 177,835 hosts over 17 months. Our results revealed a diverse infrastructure, with hosts falling into three main hosting types. We also identified at scale the presence of eight software components which facilitate file uploads and which are likely exploited for clickbait PDF distribution. We contact affected parties to report the misuse of their resources via a large-scale vulnerability notification. While we observed some effectiveness in terms of number of cleaned-up PDFs following the notification, long-term improvement in this infrastructure remained insignificant. This finding raises questions about the hosting providers' role in combating abuse and the actual impact of vulnerability notifications.
Paper Structure (57 sections, 8 figures, 8 tables)

This paper contains 57 sections, 8 figures, 8 tables.

Table of Contents

  1. Introduction
  2. Background and Research Questions
  3. Background
  4. Clickbait PDF s
  5. SEO Attacks
  6. Websites Supporting Web Attacks
  7. Scope and Contributions
  8. Research Questions
  9. Contributions
  10. Dataset and Pipeline
  11. Main and Seed Datasets
  12. Data Collection
  13. Filtering Criteria
  14. The Grape Pipeline
  15. PDF Analysis Module
  16. ...and 42 more sections

Figures (8)

  • Figure 1: The interconnections between clickbait PDF s.
  • Figure 2: Grape modules and I/O data connections.
  • Figure 3: (a) Distribution of FQDN per eTLD+1. (b) Distribution of .pdf links per eTLD+1. Data from the Setup phase.
  • Figure 4: Example showing static resources residing on a different domain (PDFs in the CDN category).
  • Figure 5: Distribution of clickbait PDF uptimes per hosting type, across our 13-month study.
  • ...and 3 more figures