An interesting article from BBC today caught my attention from a security and risk perspective. Academics have been utilising a little-known Twitter hashtag, #ICanHazPDF, to request and share Journal articles.

Whilst appreciating the Internet being used as originally intended during the early days of the ARPAnet, to share resources and knowledge within the academic community, the open manner of the requests leaves some potential risks which could be exploited by a malicious actor.

Let’s look at the group ‘Etiquette’ for #ICanHazPDF ¹ :

1. Give link or DOI.
2. Give email address.
3. Delete your request after you get the pdf.

From a malicious perspective, those requesting a given paper have just provided two important aspects needed for a successful compromise; An attack vector, email address in this case, and a plausible scenario, the requester is expecting to receive a PDF file which they want to read.

It will be trivial to collect requests from this thread, and send the requester a trojaned PDF file with the goal of compromising the requester’s machine; leading to all the potential scenarios and security headaches that come from a system compromise.

A potential attack scenario could proceed as follows (no, I doubt I’m providing any ideas the BadGuys™ haven’t already thought of):

1. Extract email addresses and requested papers from #ICanHazPDF twitter feed.
2. Generate/rename a malicious PDF with the requested file name.
3. Send to original requester
4. All the usual damaging activities that usually come from a successful compromise.

Compared to non-targeted [spear-]phishing where the chance of getting a recipient to actually open the malicious file is (hopefully) low if security awareness programs are successful, in this case the recipient is expecting to receive the file requested. From our collective experience from both dealing with real-world attacks and running simulated social engineering engagements for clients our expectation is that the click-through rate of such a scenario would be significantly higher.

From the group etiquette/procedure you can also see that some attempt to limit the exposure of email accounts has been attempted, by deleting the original request once the required file is received. However, there is rarely a wholly successful method of ‘delete’ in the context of information posted online. There is also some evidence that this mitigation is partially accidental, with the final step of deletion to prevent duplicated support once the required article has been received.

Speaking to several academics on the topic this morning, it’s worrying that the potential risk of this process wasn’t widely identified. Although it has also been pointed out that the ‘higher value’ academic targets will likely already have access to all the journals required for their research, potentially reducing the attack surface to independent researchers and students without the same available resources ².

So as a call to arms, if you’re responsible for either staff security awareness (or picking up the pieces in the aftermath of a compromise) we’d urge you to take this story as an opportunity to remind all staff of the dangers of opening files, links or attachments from strangers, even if they initiated the request.

Should you want or need any assistance, our Security Consultants are here to help advise on staff security awareness programmes, mail and endpoint protection products in the Onyx Security Portfolio and any other facet of information security.

Andrew Waite
Security Consultant

¹ – https://twitter.com/MGhydro/status/603984639544406016
² – https://twitter.com/AndreaKuszewski/status/656401770269143040