A while ago I was reading a note about the Zscaler blog using PDF files to spam and looking at one of the sites that take advantage of it I found some interesting things.
In the following screenshot you can see one of the spam documents loaded in the browser, its content is only keywords related to pharmaceutical products and a link is included:
PDF spam on pharmaceutical products
Clicking ends up in a fake online pharmacy that is hosted on a Ukrainian server under an Indian domain (.in):
Fake online pharmacy
The spam PDF is hosted on the server of a United States University, it seems that they forgot to update the software of their Wiki and they were filled with spam:
PDF files on the infected site
Although antivirus programs have the ability to detect this type of code, they do not always do so, a random document recently uploaded to VirusTotal was detected by 4 of 42 engines, which is a fairly low rate.
Imagine the same but taking advantage of other keywords such as famous book names and redirects to infecting sites… there are many people searching for PDFs on the internet and there are many PDF search engines that only show results from Google! They really can be doing damage if they are not doing it anymore …
But PDF spam is not the only thing on this compromised site, I also came across pages that link to fraudulent software stores (the famous OEM stores found even on the NASA site!):
OEM software spam
Clicking ends in a fraudulent store that sells pirated software as if it were original:
Fraudulent site selling software
I'm going to write to the webmaster of the infected site to warn him, that's why I crossed out the URLs. Also in the Zscaler note you can find this and many more examples of violated .edu sites.
See also: Returning an undetectable PDF (video conference).