Emails offering PDF Reader 2010 lead to unsecure payment site
July 27, 2010 7 Comments
MX Lab intercepted some emails with the subject “Upgrade New PDF Acrobat Reader/Writer For Windows And Mac” from the email address “Adobe <firstname.lastname@example.org>”. Notice the use of Adobe in the email. In the email, an offer is made to download the new PDF Reader 2010 for Windows and Mac.
This is the body of the email:
PDF Reader 2010 – New Version for Windows and Mac
The latest PDF Reader: Open, Edit Create PDF Files
What’s new in this version :
-Open, edit and view all PDF files.
-Enhanced performance with faster loading and zooming.
-Collect your data and combine it into a high quality document.
Thank you for choosing us, the worldwide leader in PDF Reader
PDF Reader 2010
When visiting this web site, it all makes perfect sense, it’s a company that offers a PDF Reader/Writer that can do more than the Adobe Reader on its own. But when you go further you will notice some issues with the web site and the offer.
When following the URL in the email, you get redirected to hxxp://2010-pdf-pro.com/.
It seems like you can download the software for free, there is no pricing information on the web site, so you go forward with the Download button.
The Download button leads to the page hxxp://2010-pdf-pro.com/join.asp but you will get a redirect again to the domain hxxp://secure-signup.ru/. Do not get fooled by the domain name secure-signup.ru. The browser session is not secured at all while most genuine web shops already have a secured session through https:// when you sign up for a service or software.
The site asks you to fill in your email address twice for confirmation, your first and last name and country.
When continuing to step 2 you will get the membership choices and here we have it: the PDF Reader 2010 comes not for free. You will need to choose from some 1, 2 or 3 year online access and support.
When you have made your choice you can continue the process by validating your credit card. Notice that you haven’t filled in any details regarding invoicing. The web forms did not ask for your address, zip or postcode to create an invoice or proof of purchase.
On the web form to validate your credit card, you still have no secure https:// connection. This means that your details are send over the internet without any encryption at all and can be read by anyone. What’s worse, your credit card details are now in the hands of a person or group with bad intentions.
Update 29 July 2010:
On the 27th we did fill in a dummy email address to test the webforms on the web sites above and today we received a mailing with the following content:
Dear valued customers,
We are pleased to announce the newest version of PDF Reader 2010 which will enable you to view, create, edit and print PDF documents. The PDF format as a global exchange document format is created by Adobe and is the most efficient way to exchange information.
Simply visit the link below and enter your PDF reader code:
PDF Reader Code: 5013
Go here to receive the latest 2010 version
Thank you for choosing us, the worldwide leader in PDF Reader solutions.
PDF Reader Support
Copyright PDF Reader 2010 – All rights reserved
You are currently subscribed to sm-pdf as email@example.com
Safely unsubscribe from sm-pdf at any time.
Media Internet Consultants – Edif. Neptuno, Planta Baja, Ave. Ricardo J. Alfaro, Tumba Muerto, n/a, Panama
Behind “Go here to receive the latest 2010 version” is the link hxxp://list.directmediafive.com/t/2549518/64766653/4988/0/ that will redirect you to hxxp://new-pdf-reader.com/1/promo/index.asp?aff=11677&camp=pdf_x1
The web form is now somewhat different and allows you to fill in your PDF Reader code 5013. Based on this you get a certain discount. When we wanted to leave the page an go back one page, we got a pop up windows with an 50% reduction in the price, offered for a 24 hour period with a count down counter on the site.
When going further through the process, we did got an https:// connection for sending the credit card details. But based on the facts above and mentioned in this article, I would not recommend anyone doing this. There are too many variables that gives us the idea that buying on this site will result in troubles.
The mailing also contains an unsubscribe URL using hxxp://list.directmediafive.com/. It gives you the idea that this is a genuine company. But what is quite interesting, is that when visiting the domain http://www.directmediafive.com/ directly, you will get a web page of a parked domain.
We have used the unsubscribe URL included in the mailing and will now see what happens during the next few days.