Recommendation systems face growing threats from data poisoning attacks; however, existing approaches typically require compromising ≥1% of users—rendering them impractical on large-scale platforms. To address this limitation, we propose IndirectAD, an indirect poisoning attack leveraging trigger items: rather than directly injecting interactions with target items, it exploits item co-occurrence patterns to subtly shift model preferences toward the target via a small set of carefully crafted trigger items. Inspired by machine learning backdoor attacks, IndirectAD significantly reduces the required fraction of compromised accounts. Extensive experiments across collaborative filtering and deep recommendation models demonstrate that manipulating merely 0.05% of users suffices to induce substantial recommendation bias, even at scale. Our work exposes a more realistic and stealthy security vulnerability under stringent resource constraints, challenging conventional assumptions about attack feasibility and offering novel insights for robust defense design.

Recommender systems play a central role in digital platforms by providing personalized content. They often use methods such as collaborative filtering and machine learning to accurately predict user preferences. Although these systems offer substantial benefits, they are vulnerable to security and privacy threats, especially data poisoning attacks. By inserting misleading data, attackers can manipulate recommendations for purposes ranging from boosting product visibility to shaping public opinion. Despite these risks, concerns are often downplayed because such attacks typically require controlling at least 1% of the platform's user base, a difficult task on large platforms. We tackle this issue by introducing the IndirectAD attack, inspired by Trojan attacks on machine learning. IndirectAD reduces the need for a high poisoning ratio through a trigger item that is easier to recommend to the target users. Rather than directly promoting a target item that does not match a user's interests, IndirectAD first promotes the trigger item, then transfers that advantage to the target item by creating co-occurrence data between them. This indirect strategy delivers a stronger promotion effect while using fewer controlled user accounts. Our extensive experiments on multiple datasets and recommender systems show that IndirectAD can cause noticeable impact with only 0.05% of the platform's user base. Even in large-scale settings, IndirectAD remains effective, highlighting a more serious and realistic threat to today's recommender systems.