Hackers Are Using SEO To Rank Malicious PDFs On Search Engines, Research Finds

An anonymous reader quotes a report from VentureBeat: Today, researchers at security service edge provider, Netskope, published the Netskope Cloud and Threat Report: Global Cloud and Malware Trends, which found that phishing downloads rose 450% over the past 12 months, and highlighted that attackers are using search engine optimization (SEO) to rank malicious PDF files on search engines. The report's findings show that phishing attempts are constantly evolving, and attackers aren't just targeting employees through their email inboxes; they're also using popular search engines like Google and Bing. The increase in phishing attacks and the growing popularity of SEO techniques among cybercriminals highlights the need for enterprises to provide their employees with security awareness training so they're prepared to spot threats and not at risk of handing over sensitive information.

When it comes to defending against these SEO-driven attacks, [Ray Canzanese, director of Netskope's Threat Labs] highlights several methods that security teams can use to protect employees. One of the most effective is to use a solution that can decrypt and scan web traffic for malicious content. At the same time, security teams should encourage users to inspect all links they click on, and to exercise caution if the link takes them to an unfamiliar website. In the event an employee does click on a malicious PDF, they can expect to see a fake captcha at the top of the first page, followed by text on other pages. In these scenarios, users should close the file, delete it from the device and report it to the security team ASAP. Canzanese also notes that it's important for users to report malicious URLs that feature on popular search engines to help the provider unlist them from the site and prevent other users from falling victim to a scam.

Web browsers as document viewers

[Bite The Pillow]

I remember the days of the IE argument, let us set a blank home page. The engineers' response was, why would you open a program that operates as a document viewer, without a document to view?

Finally they gave in, and "about:blank" was born.

MS Edge, last I read, does not respond to ESC as a command to stop loading a page. I don't want whatever homepage someone has set up, I don't want to wait for it to load, for you to parse it, for you to download the images, and especially not the scripts.

At one point, I

Re:

[dargaud]

[...] It's probably easier to render it to an image and do OCR rather than try to extract text. And it's downhill from there [...]

In order to fight SEO I once suggested this method: render the page, screenshot the entire thing, OCR it, compare the resulting text with the text from a "Save as text" or a "grab as googlebot" of the original page. The more different they are, the more you downrank the page.

Re:

[Opportunist]

That's actually a killer idea for a search engine.

Re:Web browsers as document viewers

[gweihir]

There are engineers and "engineers". The fake variant is unfortunately the prevalent one in the software space. A real engineer understands security, reliability and unintended consequences. The fake version does not.

As to PDF-viewers, it was pretty clear way back that eventually most documents need to be regarded as hostile. But the fake engineers never prepared for that because they simply did not see it. They instead added features, made things more interoperable and generally opened us up to attacks of all kinds. And that is the reason for the current mess we have.

Really? who wants this?

[oldgraybeard]

"One of the most effective is to use a solution that can decrypt and scan web traffic for malicious content"

We used to have automatic immunity to this

[imidan]

Ah, for the good old days, when I would go to any length to avoid clicking a PDF link because launching Acrobat Reader took 5 minutes, by which time I'd've lost interest. (I actually used a script for my web browser at the time to decorate links to PDF files so I wouldn't accidentally click them.)

They lost 99% of users...

[rantrantrant]

...after they said, "...encourage users to inspect all links..." Seriously? That's their solution?

Leave external docs external

[laughingskeptic]

Better advice: Don't open anything found on the internet directly on a computer you care about. Office docs, PDFs etc can all be put on a cloud drive and viewed in your browser. The malicious scripts then see the transient cloud rendering environment as their host not your computer (if they are run at all). This includes RESUMES! Do not workflow resumes for job candidates via email. This is the #1 phish -- a great looking resume for an open IT job sent to HR who then forwards to director of IT who the

Why is PDF so special?

[vbdasc]

At this point, HTML is a more complex language than PDF. What if malicious actors start using SEO to promote malicious or phishing HTML files? What to do then?

Anyway, little can be done except IT departments making sure that installed software opening both PDF and HTML has no known vulnerabilities, and employees being educated to not type their passwords in places which have no business asking for passwords. And NOT to "close PDF files where the first page contains fake captcha, and next pages contain text"

Re:

[Catvid-22]

The original idea was that PDF was meant to be an electronic copy of a book, the chief attraction being that the format and layout, including the images and fonts, were fixed, unlike in a word processing document. Maybe the solution, at least for files from untrusted sources, is a PDF reader that just displays and doesn't do all sorts of fancy stuff like fill forms.

Neuter the PDFs?

[Mozai]

I know with Microsoft Office documents I can extract the content without launching the embedded software -- it may look bad but I can get the data, like going to website with all javascript turned off. Is this possible with PDF files? I know they embed Postscript, and Postscript is potent enough to run a desktop environment (ie. NextStep). I thought using the GIMP or Imagemagick would work but I suspect both of them just throw the PDF over to Ghostscript.