Emails offering PDF Reader 2010 lead to unsecure payment site


MX Lab intercepted some emails with the subject “Upgrade New PDF Acrobat Reader/Writer For Windows And Mac” from the email address “Adobe <newsletter@adobe-upgrade-2010.com>”. Notice the use of Adobe in the email. In the email, an offer is made to download the new PDF Reader 2010 for Windows and Mac.

This is the body of the email:

PDF Reader 2010 – New Version for Windows and Mac
The latest PDF Reader: Open, Edit Create PDF Files

What’s new in this version :

-Open, edit and view all PDF files.
-Enhanced performance with faster loading and zooming.
-Collect your data and combine it into a high quality document.

hxxp://www.adobe-upgrade-2010.com/

Thank you for choosing us, the worldwide leader in PDF Reader
Solutions.

Best Regards,

Tommy Johnson
PDF Reader 2010

When visiting this web site, it all makes perfect sense, it’s a company that offers a PDF Reader/Writer that can do more than the Adobe Reader on its own. But when you go further you will notice some issues with the web site and the offer.

When following the URL in the email, you get redirected to hxxp://2010-pdf-pro.com/.

It seems like you can download the software for free, there is no pricing information on the web site, so you go forward with the Download button.

The Download button leads to the page hxxp://2010-pdf-pro.com/join.asp but you will get a redirect again to the domain hxxp://secure-signup.ru/. Do not get fooled by the domain name secure-signup.ru. The browser session is not secured at all while most genuine web shops already have a secured session through https:// when you sign up for a service or software.

The site asks you to fill in your email address twice for confirmation, your first and last name and country.

When continuing to step 2 you will get the membership choices and here we have it: the PDF Reader 2010 comes not for free. You will need to choose from some 1, 2 or 3 year online access and support.

When you have made your choice you can continue the process by validating your credit card. Notice that you haven’t filled in any details regarding invoicing. The web forms did not ask for your address, zip or postcode to create an invoice or proof of purchase.

On the web form to validate your credit card, you still have no secure https:// connection. This means that your details are send over the internet without any encryption at all and can be read by anyone. What’s worse, your credit card details are now in the hands of a person or group with bad intentions.

Update 29 July 2010:

On the 27th we did fill in a dummy email address to test the webforms on the web sites above and today we received a mailing with the following content:

Dear valued customers,

We are pleased to announce the newest version of PDF Reader 2010 which will enable you to view, create, edit and print PDF documents. The PDF format as a global exchange document format is created by Adobe and is the most efficient way to exchange information.

Simply visit the link below and enter your PDF reader code:

PDF Reader Code: 5013
Go here to receive the latest 2010 version

Thank you for choosing us, the worldwide leader in PDF Reader solutions.

Mike Robertson
PDF Reader Support

Copyright PDF Reader 2010 – All rights reserved

You are currently subscribed to sm-pdf as geert@betransport.com
Safely unsubscribe from sm-pdf at any time.

Media Internet Consultants – Edif. Neptuno, Planta Baja, Ave. Ricardo J. Alfaro, Tumba Muerto, n/a, Panama

Behind “Go here to receive the latest 2010 version” is the link hxxp://list.directmediafive.com/t/2549518/64766653/4988/0/ that will redirect you to hxxp://new-pdf-reader.com/1/promo/index.asp?aff=11677&camp=pdf_x1

The web form is now somewhat different and allows you to fill in your PDF Reader code 5013. Based on this you get a certain discount. When we wanted to leave the page an go back one page, we got a pop up windows with an 50% reduction in the price, offered for a 24 hour period with a count down counter on the site.

When going further through the process, we did got an https:// connection for sending the credit card details. But based on the facts above and mentioned in this article, I would not recommend anyone doing this. There are too many variables that gives us the idea that buying on this site will result in troubles.

The mailing also contains an unsubscribe URL using hxxp://list.directmediafive.com/. It gives you the idea that this is a genuine company. But what is quite interesting, is that when visiting the domain http://www.directmediafive.com/ directly, you will get a web page of a parked domain.

We have used the unsubscribe URL included in the mailing and will now see what happens during the next few days.

7 Responses to Emails offering PDF Reader 2010 lead to unsecure payment site

  1. Henk Godschalk says:

    thank you for mthe warning. Luckily I have no credit card and so I would never pay via internet.

  2. Clear Plastic Plates says:

    Its amazing how advance the fraudsters are getting the internet is haven for them atleast MXLAB are the good guys thank you for your continued hard work guys!

  3. 9hnlb says:

    Regards the above, unfortunately, i chose to unsubscribe and my pc’s running at an extremely slow pace. In fact before finding this article I thought my Hard Disk has been damaged. I’m no noob in computers but this was very unlikely of me, usually I just block them through the anti-virus email filter.

    I’m asking whether you know where it attacks or some solutions which might be helpful. I can’t scan my pc since it’s extremely slow. (scans 30 files in 10 mins!)
    I was going to scan the HD via USB through another computer.
    Thanks a lot! much appreciated

  4. Pingback: Phishing scam masquerades as Adobe upgrade | Diig2web

  5. Pingback: Phishing scam masquerades as Adobe upgrade | Security – CNET News | Slinking Toward Retirement

  6. Pingback: Phishing scam masquerades as Adobe upgrade « Twin Rivers Communications

  7. Pingback: Una campaña de Phishing scam se enmascara como actualización de Adobe Reader. « Seguridad PCs

Follow

Get every new post delivered to your Inbox.

Join 320 other followers

%d bloggers like this: