Cybercriminals are using SEO to improve the ranking of malicious PDFs on search results

Tudor Cibean

Posts: 123   +8
Staff
In brief: Netskope's new security report shows that there's been a fivefold yearly increase in malicious PDF phishing downloads, with a lot of victims getting referred from search engines. Meanwhile, downloads of Microsoft Office files containing malware have returned to pre-Emotet levels.

Netskope, a security service edge provider, just published their new Cloud and Threat Report, which examines the past 12 months of malware downloads from the cloud and web.

Research shows that there's been a 450 percent yearly increase in malicious PDF phishing downloads, with attackers using search engine optimization (SEO) techniques to improve the ranking of malicious PDF files on search engines such as Google and Bing.

These files often take the form of fake file sharing requests, fake invoices, or even fake Captchas that redirect users to phishing, spam, scam, and malware websites.

According to the report, most malware is being downloaded from within the same region as its victim in order to avoid geofencing filters. Over 80 percent of all malware downloads by victims in North America were downloaded from websites hosted there.

There are several other noteworthy findings in the report. Trojans continue to be effective, with 77 percent of malware downloads being Trojans. There is no single Trojan family that is globally dominant, with the top 10 families accounting for only 13 percent of all downloads.

Cybercriminals use a combination of web and cloud to target their victims, as 53 percent of malware downloads originate from traditional websites and the rest from cloud apps used for collaboration and webmail. Here, attackers can send messages to their victims through emails, direct messages, comments, and document shares.

EXE and DLL files account for 46 percent of all malware downloads, while malicious Microsoft Office files have returned to pre-Emotet levels, with just nine percent of the total.

Permalink to story.

 

Vanderlinde

Posts: 148   +102
I have to wonder how well a malware blocking DNS would do against something like this.

Nothing, because it's usually hosted on domains that have a good reputation. The thing is within the PDF as a exploit that people download, open and malware being installed.

I have 15 servers of my own as well, and we do in this case some tricks to scan any uploaded content for potential malware. Because of that most of the time everything stays clean.

Its the servers that have zero to none maintaince or security features that do get infected.
 

bviktor

Posts: 908   +1,327
Nothing, because it's usually hosted on domains that have a good reputation. The thing is within the PDF as a exploit that people download, open and malware being installed.

I have 15 servers of my own as well, and we do in this case some tricks to scan any uploaded content for potential malware. Because of that most of the time everything stays clean.

Its the servers that have zero to none maintaince or security features that do get infected.
Hosting is irrelevant. The PDF wants to submit data to the malicious domain and it won't work due to DNS filtering. So in worst case you can still open the PDF, but form submission won't work.

... if the domain is indeed on the DNS denylist, that is.