Saltar al contenido

Spam PDF with JavaScript on compromised .edu sites

pdf-spam

A while ago I was reading a note about the Zscaler blog using PDF files to spam and looking at one of the sites that take advantage of it I found some interesting things.

In the following screenshot you can see one of the spam documents loaded in the browser, its content is only keywords related to pharmaceutical products and a link is included:

PDF spam on pharmaceutical products

Clicking ends up in a fake online pharmacy that is hosted on a Ukrainian server under an Indian domain (.in):

Fake online pharmacy

The spam PDF is hosted on the server of a United States University, it seems that they forgot to update the software of their Wiki and they were filled with spam:

PDF files on the infected site

In some PDFs it is the user who must click on the links, but in others they added Obfuscated JavaScript code to perform redirects, that is to say that when clicking on the result of Google it could automatically end in the page of the fake pharmacy, this will depend on the file reader that is used and if it has enabled or not the reading of JavaScript.

Although antivirus programs have the ability to detect this type of code, they do not always do so, a random document recently uploaded to VirusTotal was detected by 4 of 42 engines, which is a fairly low rate.

Imagine the same but taking advantage of other keywords such as famous book names and redirects to infecting sites… there are many people searching for PDFs on the internet and there are many PDF search engines that only show results from Google! They really can be doing damage if they are not doing it anymore …

But PDF spam is not the only thing on this compromised site, I also came across pages that link to fraudulent software stores (the famous OEM stores found even on the NASA site!):

OEM software spam

Clicking ends in a fraudulent store that sells pirated software as if it were original:

Fraudulent site selling software

I'm going to write to the webmaster of the infected site to warn him, that's why I crossed out the URLs. Also in the Zscaler note you can find this and many more examples of violated .edu sites.

See also: Returning an undetectable PDF (video conference).