This is the body of the email:

PDF Reader 2010 – New Version for Windows and Mac
The latest PDF Reader: Open, Edit Create PDF Files

What’s new in this version :

-Open, edit and view all PDF files.
-Enhanced performance with faster loading and zooming.
-Collect your data and combine it into a high quality document.

hxxp://www.adobe-upgrade-2010.com/

Thank you for choosing us, the worldwide leader in PDF Reader
Solutions.

Best Regards,

Tommy Johnson
PDF Reader 2010

When visiting this web site, it all makes perfect sense, it’s a company that offers a PDF Reader/Writer that can do more than the Adobe Reader on its own. But when you go further you will notice some issues with the web site and the offer.

When following the URL in the email, you get redirected to hxxp://2010-pdf-pro.com/.

It seems like you can download the software for free, there is no pricing information on the web site, so you go forward with the Download button.

The Download button leads to the page hxxp://2010-pdf-pro.com/join.asp but you will get a redirect again to the domain hxxp://secure-signup.ru/. Do not get fooled by the domain name secure-signup.ru. The browser session is not secured at all while most genuine web shops already have a secured session through https:// when you sign up for a service or software.

The site asks you to fill in your email address twice for confirmation, your first and last name and country.

When continuing to step 2 you will get the membership choices and here we have it: the PDF Reader 2010 comes not for free. You will need to choose from some 1, 2 or 3 year online access and support.

When you have made your choice you can continue the process by validating your credit card. Notice that you haven’t filled in any details regarding invoicing. The web forms did not ask for your address, zip or postcode to create an invoice or proof of purchase.

On the web form to validate your credit card, you still have no secure https:// connection. This means that your details are send over the internet without any encryption at all and can be read by anyone. What’s worse, your credit card details are now in the hands of a person or group with bad intentions.

Update 29 July 2010:

On the 27th we did fill in a dummy email address to test the webforms on the web sites above and today we received a mailing with the following content:

Dear valued customers,

We are pleased to announce the newest version of PDF Reader 2010 which will enable you to view, create, edit and print PDF documents. The PDF format as a global exchange document format is created by Adobe and is the most efficient way to exchange information.

Simply visit the link below and enter your PDF reader code:

PDF Reader Code: 5013
Go here to receive the latest 2010 version

Thank you for choosing us, the worldwide leader in PDF Reader solutions.

Mike Robertson
PDF Reader Support

Copyright PDF Reader 2010 – All rights reserved

You are currently subscribed to sm-pdf as geert@betransport.com
Safely unsubscribe from sm-pdf at any time.

Media Internet Consultants – Edif. Neptuno, Planta Baja, Ave. Ricardo J. Alfaro, Tumba Muerto, n/a, Panama

Behind “Go here to receive the latest 2010 version” is the link hxxp://list.directmediafive.com/t/2549518/64766653/4988/0/ that will redirect you to hxxp://new-pdf-reader.com/1/promo/index.asp?aff=11677&camp=pdf_x1

The web form is now somewhat different and allows you to fill in your PDF Reader code 5013. Based on this you get a certain discount. When we wanted to leave the page an go back one page, we got a pop up windows with an 50% reduction in the price, offered for a 24 hour period with a count down counter on the site.

When going further through the process, we did got an https:// connection for sending the credit card details. But based on the facts above and mentioned in this article, I would not recommend anyone doing this. There are too many variables that gives us the idea that buying on this site will result in troubles.

The mailing also contains an unsubscribe URL using hxxp://list.directmediafive.com/. It gives you the idea that this is a genuine company. But what is quite interesting, is that when visiting the domain http://www.directmediafive.com/ directly, you will get a web page of a parked domain.

We have used the unsubscribe URL included in the mailing and will now see what happens during the next few days.

MX Lab received a new registration form from the World Business Directory and again, we want to point out a few things before you sign their contract.

The email comes from info@companyworld2010.com, with the subject “Registration of the World Business Directory 2010/2011″ and this is the email content:

Dear Madam/Sir,

In order to have your company registered in the World Business
Directory for 2010/2011, please print, complete and return the
enclosed form (PDF file) to the following address:

World Business Directory
Suite 149 – Rosden House – 372 Old Street
EC1V 9AU / London – United Kingdom
E-mail: office@companyworld2010.com
Fax: +44 207 806 8157

Updating is free of charge!

To unsubscribe, please send an email to
unsubscribe@companyworld2010.com

Attached is a PDF file named world-businessdirectory.pdf.

The 1st point that needs your attention is the text block 1:

To update your company profile, please print, complete and return
this form (Updating is free of charge). Only sign if you want to
place an insertion.

As you can read, updating is free of charge but if you want your company get listed in this directory you will need to sign and have to pay.

What is the price of this directory you may ask yourself? Well, you have to go to text block 2 with the very small letters and this includes:

I WILL HAVE AN INSERTION INTO ITS DATA BASE FOR THREE YEARS. THE PRICE PER YEAR IS GBP 980.

And there you have it, this contract will cost your business a total amount of GBP 2940 over 3 years. After the 3 years subscription you can stop your contract if you inform them on time:

THE SUBSCRIPTION WILL BE AUTOMATICALLY EXTENDED EVERY YEAR FOR ANOTHER YEAR, UNLESS SPECIFIC WRITTEN NOTICE IS RECEIVED BY THE SERVICE PROVIDER OR THE SUBSCRIBER TWO MONTHS BEFORE THE EXPIRATION OF THE SUBSCRIPTION.

A few arguments from our side that this is a scam:

The from email address contains the domain companyworld2010.com and when trying to see if there is a site online we got the notification “This account has been suspended”. We might see new emails from the World Business Directory appear with other domains.

When getting some WHOIS information on the domain we got the following:

Registrant:
 international group c/o Free Private Reg
 P.O. Box 81024
 Burnaby, BC V5H 4K2
 CA

 Domain name: COMPANYWORLD2010.COM

 Administrative Contact:
    boot, cornelis  companyworld2010.com@freeprivateregistration.com
    P.O. Box 81024
    Burnaby, BC V5H 4K2
    CA
    852-3594-1708
 Technical Contact:
    Hostmaster, Domain  hostmaster@doteasy.com
    Suite 210 - 3602 Gilmore Way
    Burnaby, BC V5G 4W9
    CA
    (604) 434-4307    Fax: (604) 608-6832

 Registrar of Record: In2net Network Inc.
 Record last updated on 05-Mar-2010.
 Record expires on 05-Mar-2011.
 Record created on 05-Mar-2010.

 Domain servers in listed order:
    DNS8.DOTEASY.COM   65.61.199.14
    DNS7.DOTEASY.COM   65.61.198.14

 Domain status: clientTransferProhibited
                clientUpdateProhibited

The registrant information is rather vague and points to a PO Box and the administrative contact has the same address. The domain freeprivateregistration.com in the email address of the administrative contact is just a domain alias from doteasy.com. These details must be fake.

In 2009, the PDF document needed to be returned to an address in The Netherlands, in this 2010/2011 edition it needs to be returned to an address in London, UK.

When visiting their site at http://www.world-businessdirectory.com/ on the ‘About us’ page we found the following text:

The World Business Directory online is product of EU Business Services Ltd, a corporation organized and existing under the laws of Nevis, West Indies.

We also  found the UK address on the ‘Contact us’ page.

Our recommendation is: don’t sign the document and don’t do business with this company.

Follow these guidelines if  you are a victim of this directory scam:

• Do not pay, even if they imply to take your case to court.
• If you have paid a certain amount, stop the next payments. Expect that you won’t get a refund either.
• Send them a letter informing them you have been misled and telling them to cancel the contract.
• If possible, report to (local) authorities.

Additional information:

Stop EU Business Services Ltd Trading As World Business Directory
Stop world-businessdirectory.com

On the web site of Richard Corbett you can find some background information about directory scams and what to do when you are a victim of such a scam.

The email comes from the spoofed address AIM <no_reply_instant_messenger@aol.com> with possible subjects like:

Your AIM account is flagged as inactive
Your AIM account will be deleted
YourAOL Instant Messenger account will be deleted

Body of the email:

Dear AOL Instant Messenger user,

Your AIM account is flagged as inactive. Within the following 72 hours it’ll be deleted from the system.

If you plan to use this account in the future, you have to download and launch the latest update for the AIM. This update is critical.

In order to install the update use the following link . This link is generated exclusively for your account and is available within a certain period of time. As soon as this link is not available anymore you will get another letter.

Thank you,

AIM Service Team

This e-mail has been sent from an e-mail address that is not monitored. Please do not reply to this message. We are unable to respond to any replies.

The email contains the link to the web site hxxp://update.aol.com.terfkiof.net.pl/products/aimController.php?code=2902***&email=***r@r***.com. Note: it is possible that other links are being used in this campaign.

This web site informs you to download the file aimupdate_7.1.6.475.exe (size: 128 kB). When executed you will infect your computer with ZBot – a banking trojan that disables firewall, steals sensitive financial data (credit card numbers, online banking login details), makes screen snapshots, downloads additional components, and provides a hacker with the remote access to the compromised system.

The file %System%\sdra64.exe is created on an infected system, along with a hidden directory %System%\lowsec and the hidden files: %System%\lowsec\local.ds, %System%\lowsec\user.ds and %System%\lowsec\user.ds.lll

The trojan can request data from the following URLs:

* http://nekovo.ru/cbd/nekovo.bri
* http://nekovo.ru/ip.php

Virus Total permlink and MD5: d267e1ccc1a30134ab965fcaa39d145c. At the time of writing, only 9 of the 41 AV engines did detect the trojan. Our recommendation is therefore not to follow the URL and certainly not to download and install this so called AIM update.

For the readers that are not familiar with SpamAssassin here is a brief explanation on how SpamAssassin works. SpamAssassin will check each incoming message and will check the message based on rules. These rules contains information on what to search for and defines a score when a similarity is found.

The rule FH_DATE_PAST_20XX checks if a message is sent in the near future and will increase the score  with 3.2 points if this is true. Apparently, the search date was 01-01-2010.

This caused that all messages had an increased score by 3.2 by default. Combined with other rules, the score per message can increase further and eventually the message can be labeled as spam by SpamAssassin, depending on the configuration, that leads to many false positives.

The date for the rule has been changed to 01-01-2020 according to the SpamAssassin Wiki.

More information:

Mike Cardwell Blog
IT Slashdot

I do hope that the SpamAssassin admins change the rule on time to avoid a 2020 bug in their rule set.

In case you’re wondering…. no, MX Lab does not use SpamAssassin so our services were not affected by this issue.

MX Lab wishes everyone a virus and spam-free 2010.

The way this company works is more or less similar to the World Business Guide or Belgisch Internet Register (DAD). Page one is the introduction letter and page two is the registration form with the company details that will be used in the pubication.

The letter does state the following:

Indien de door ons ingevuld gegevens niet correct of onvolledig zouden zijn, hebt u de mogelijkheid om uw gegevens te corrigeren: de basisgegevensinvoer (naam, postcode, plaats) onder www.ondernemings-portaal-belgië submenu-item: registratie. Hiervoor worden geen kosten berekend!

For the non Dutch speaking readers, the above mentions that you can correct your basic details like name, zip and city on the web site without any costs.

Wilt u meer communicatiegegevens dan de basisgegevensinvoer publiceren, dan gebruikt u het bijgevoegde formulier en stuurt het aan ons terug. Aangezien wij geen kamer-aangesloten- of overheidsafhankelijke onderneming zijn, zijn er aan deze publicatie kosten verbonden.

If you want to publish more data than the basic details like name, zip and city then you need to take extra costs into account.

Indien u per vergissing als exploitant van een privé internet pagina werd aangeschreven of niet wenst gepubliceerd te worden, gelieve dit dan in het daartoe bestemde vak linksonder aan te duiden en het formulier aan ons terug te sturen.

If you don’t want your details published on their web site because your company does not exist anymore, you don’t want a publication or you are a private person, you need to mark this on the first paper and send this back to Ondernemings-Portaal België with the registration form.

Now here is catch. The place where you can mark that you don’t want to publish your basic details is on the first page. The registration form with your details is on page two. On page two you are asked to sign and put the date on it. Now, if they receive it and they throw page one in the trashcan – something you can’t check – you have signed their contract for publication. The ‘not publish’ option is not on their registration form so it can be abused.

The costs are not mentioned on the first page but is stated on the second page and this is € 987 per year and the contract is for 3 years! So be aware that this is a costly advertisment.

Beside that, when you are in dispute with the company be aware that their establishment is located in Germany under the name TVV Tele Verzeichnis Verlag GmbH, Hamburg, and that German law applies to the contract.

Unizo, the Union of Independent Entrepreneurs in Belgium, has dedicated a whole section on their web site regarding these advertising recruiters (site in Dutch) with lots of examples.

“The newly discovered worm is pretty sneaky to say the least. In a nutshell, it crawls the web looking for vulnerable WordPress installations, makes itself an administrator account, takes full control of the website and posts malware and spam to it. It’s also been reported that it will sometimes disable Defensio and other anti-spam plugins. It can be very hard to detect the new malicious administrator user since it hides itself from the users list using Javascript.”

Read the full story.

The potential dangers and risks

The dark side is that with these shortening services you are no longer able to see directly where your browser will be pointed to. Shortened URLs could lead to the following security risks:

• web sites that host malware, trojans and other malicious programs
• web sites that could exploit security risks in a browser or system
• web sites that contain phishing attempts and try to steal personal information
• web sites that contain phishing attempts by social interaction
• web sites that are being used in spam campaigns

A real example of shortened URL abuse

MX Lab has intercepted a message from Sefedin Abazi <sabazi@hotmail.com> with the subject “Fotos 26/06″. This is the message  content:

7:37:25 PM Fotos 26/06 :
Imagens anexadas: DSC_332.jpg – DSC_333.jpg – DSC_334.jpg
Videos Hotmail.com: www.hotmail.com/videos
————————————————————————
See all the ways you can stay connected to friends and family

With this email it looks like someone has sent you some foto’s and perhaps your curiosity is triggered you click on the short URL. The names of the photos and the video link contains the shortened URL link: hxxp://cli.gs/21YUde (do not use please).

By clicking on the shortened URL, your browser will make a connection to hxxp://fotos.live.fromru.su and will download the file xupload.exe.

When submitting the file to Virus Total (permlink and MD5: 41e441403bae688961d276b2ab1f9bca) we found out that the malware is known as Gen:Trojan.Heur.B090E1F4F4 (by GData), W32/Obfuscated.B!genr (by Norman), W32/Trojan-disguised-based!Maximus (by F-Prot) or Mal/Generic-A (Sophos). The major problem is that 21 of the 41AV engines did not detect the malware.

Without going too much in the technical details of the malware, we could conclude that downloading and executing the  xupload.exe could lead to a suprise.

Furthermore, some URL-shortening services not only shorten the URL but are also tracking the usage of the generated URLs. This way the “distributor” can gather resources on how many times a malicious shortened URL is being used, in what country, and so on.

How to preview a shortened URL

By previewing the short URL you can determine if your destination is safe enough to visit.

TinyURL
For some URL-shortening services there is a preview feature where you can submit the shortened URL to and view the full URL before visiting the site.  For TinyURL you can visit http://tinyurl.com/preview.php directly. A second method is to place “preview.” before tinyurl.com. For example http://tinyurl.com/mfhxxj becomes http://preview.tinyurl.com/mfhxxj.

bit.ly
The service bit.ly  (http://bit.ly/) is using a different approach. You will need to install a plug in for Firefox and hover over a shortened URL to get a tooptip with page title, long URL, and any click data about the page the URL links to. There is also a Firefox plug in available.

is.gd
is.gd has information on their instructions page on how to enable or disable previews by using a cookie on your computer. You can also add a hyphen (dash) to the end of the shortened URL. For example http://is.gd/1D6db is the shortened URL. By using http://is.gd/1D6db- your browser will be taken to a preview page first.

Snipurl / Snipr / Snurl / Sn.im
Adding the string “peek.” before the snipurl.com part of an shirt URL to find out where the link leads. http://snipurl.com/nh0l0 can be changed into http://peek.snipurl.com/nh0l0 for a preview.

BudURL
Simply add a “?” to the end of a BudURL  to preview it. For example http://budurl.com/ehnw?

short.ie
Same technique as with the POPrl. Insert “/see” after the short.ie/ portion of the URL. For example change http://short.ie/ij6nvk into http://short.ie/see/ij6nvk.

kl.am
Go to http://kl.am and click on the checkbox next to “Preview mode: OFF” to turn preview on.

Tinyarro.ws / ta.gd
Tinyarro.ws is giving a preview by default. There is a countdown enabled so you have time to preview the full URL and cancel the redirection if needed.

ExpandMyURL
The web site Expand My URL allows you to preview short URLs from TinuURL, bit.ly and is.gd.

LongURL
This web site can provide a preview for +200 URL-shortener services and includes tinyurl.com, is.gd, ping.fm, ur1.ca, bit.ly, snipurl.com, tweetburner.com, metamark.net, url.ie, x.se, 6url.com, yep.it, piurl.com and more. LongURL is also available as a Firefox plugin.

It is possible that non al URL shortener services that offers some kind of preview feature are listed here. If you find others, please let me know to include them.

Updated: 07-18-2009: added LongURL and some links to Firefox extensions.

The messages is from “World Business Register” with different email addresses in use:

info@easyhomecorporation.com
info@easycitycorporation.com
info@bigorganization4you.com
www@companyregpro.net
www@companyregstore.net
www@easycompregonline.com
www@bestcompregpro.com

The subject is “Business Registration 2009/2010″. The body of the email:

Ladies and Gentlemen.

In order to have your company inserted in the registry of World Businesses
for 2009/2010 edition, please print, complete and submit the enclosed
form (PDF file) to the following address:

WORLD BUSINESS GUIDE
P.O. Box 2021
3500 GA Utrecht
The Netherlands

email: register@wbgtoday.net
FAX: +31 20 524 8107

Updating is free of charge!

If you are not the intended recipient, please submit an email to
unsubscribe@wbgtoday.net
Your request shall be dealt with accordingly.

Attached is a PDF document that needs to be printed, filled in and sent to an PO Box address in The Netherlands.

When reading the PDF document carefully you can find the following:

I WILL HAVE AN INSERTION INTO ITS DATA BASE FOR THREE YEARS. THE PRICE PER YEAR IS EURO 995.

While the email itself states “Updating is free of charge!” you will have to pay € 995 each year with a minimum 3 year period by signing the document. This is quite misleading if you ask me.

A few more observations that should warn you about a possible scam:

• the email is sent from easyhomecorporation.com while there is no web site on this place so the registration of this domain is purely for spoofine the real origin.
• and more important, the document needs to be sent to a PO Box in The Netherlands while the company is International Directories Group Ltd  located in Spain according to the document.

In the past we have received similar letters by regular post here in Belgium and some organisations like Unizo have instructions (in Dutch) on how to report the illegal and deceptive practices to the authorities.

If you have received such a email, or regular mail, don’t sign the document, sent it to the trash or report to your local authorities.

[Update March, 9th 2010] MX Lab received a new registration PDF from the World Business Directory. Read the article.