Scammers have long used cloaking as a technique to drive up search engine rankings, stuffing webpages full of keywords and links that make them attractive to Google, but not to actual readers. Google wised up and those tactics became ineffective.

But, according to a new report from SophosLabs, there is one twist on cloaking that still works, and that is to stuff those keywords and links into PDF documents instead. SophosLabs noticed the PDF cloaking a few days ago, and hundreds of thousands of fake PDF documents have been appearing daily since then. Each is stuffed with random keywords, as well as links to the other pages in the campaign.

The Department of Homeland Security formally sounded the alarm on Dyre, the banking Trojan that’s been spotted siphoning banking credentials from both large enterprises and major financial institutions as of late. 

The warning came in the form of an alert informing the public of the malware, which is spread through spam and phishing emails. Phishing emails peddling Dyre are now using malicious PDF attachments that leverage vulnerabilities to download the malware. Once it’s downloaded, it captures user login information and sends that on to attackers. Experts are encouraging users to use caution when it comes to opening attachments.