Sophos Announces Google 'PDF Cloaking' Threat

A new variation on a cloaking attack could serve up malware, says SophosLabs.

Lorna Garey

July 7, 2015

2 Min Read
Sophos Announces Google 'PDF Cloaking' Threat

Sophos announced Tuesday its discovery of suspicious actors exploiting a new technique to circumvent Google’s security. The exploit, called “PDF cloaking,” can put users at risk when they click what appears to be a highly ranked PDF document in Google Search.

The core technique used is cloaking, where a site appears legitimate to Google’s search engine and to anyone who visits it by typing in the URL. However, people clicking on a search result are instead directed to a site containing malware. Google has worked to block basic cloaking attacks by adjusting its PageRank algorithm. However, SophosLabs says an attacker has figured a way around these defenses by using PDFs to deliver malware, rather than a site.

For now, Sophos says the exploit is mainly seen in ads for “binary trading” but that it could be used more broadly.

“Vigilance is always valuable: Beware of clicking on search results with descriptions that don’t seem consistent with the titles or search results,” Maxim Weinstein, a security adviser at Sophos, told Channel Partners. “Similarly, beware of entering personal information on, or downloading software from, any website that you don’t know and trust, even if the site is a highly ranked search result. From a technical standpoint, use modern, up-to-date endpoint software that is designed to protect against Web-based threats.”

More on the details of the exploit are in the Sophos blog.

Short term, to be safe, partners should advise customers to tell employees not to click on PDFs in Google (or any other search engine, for that matter) but instead take note of the URL and type it in directly. Hovering a mouse over any link and noting the URL is good practice, and PDFs, like any file containing hyperlinks, should always be approached with caution.

Security pros can also submit reports of the exploit direct to Sophos.

Follow editor in chief @LornaGarey on Twitter.

Read more about:


About the Author(s)

Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like