Download Adobe Reader 10 Alternative scam


MX Lab reported earlier on regarding a malicious spam campaign regarding an offer to download and buy PDF Reader/Writer for Windows and Mac in the articles Malicious spam campaign regarding Adobe Acrobat 2010 PDF Reader and VOIP Addons for Skype and Emails offering PDF Reader 2010 lead to unsecure payment site.

MX Lab noticed a new version that will offer the latest PDF Reader. The emails have the subject “Download Adobe Reader 10 Alternative”  with the email address dailynews_dec09@m120.redmediaone.com.

This is the body of the email:

Following the link to the web site will lead us here:

When clicking on the download button we have the following screen that looks very familiar:

Okay, let’s go throught the registration process:

The registration transactions are performed on the domain secure-signupway.com. This domain is know for fraudulent payment processing so your credit card details will end up in the wrong hands.

Now, this is also interesting. The domain from where the message is sent, redmediaone.com, has protected registrant details in the WHOIS.

Registrant:
   redmediaone.com
   c/o Whois Privacy Service
   PO BOX 501610
   San Diego, CA 92150-1610
   US

   Domain Name: REDMEDIAONE.COM

   Administrative Contact, Technical Contact, Zone Contact:
      redmediaone.com
      c/o Whois Privacy Service
      PO BOX 501610
      San Diego, CA 92150-1610
      US
      (619) 393-2111
      whois@emailaddressprotection.com


   Domain created on 18-May-2010
   Domain expires on 17-May-2012
   Last updated on 25-Mar-2011

   Domain servers in listed order:

      NS1.DOMAINDISCOVER.COM      
      NS2.DOMAINDISCOVER.COM 

In the message is the download URL and an unsubscribe URL present that is handled by http://list.onemediaclick.com/. And also iin this case, the registrant details are protected.

Domain Name: ONEMEDIACLICK.COM
Registrar: MONIKER

Registrant [3559862]:
        Moniker Privacy Services ONEMEDIACLICK.COM@domainservice.com
        Moniker Privacy Services
        20 SW 27th Ave.
        Suite 201
        Pompano Beach
        FL
        33069
        US


Administrative Contact [3559862]:
        Moniker Privacy Services ONEMEDIACLICK.COM@domainservice.com
        Moniker Privacy Services
        20 SW 27th Ave.
        Suite 201
        Pompano Beach
        FL
        33069
        US
        Phone: +1.9549848445
        Fax:   +1.9549699155


Billing Contact [3559862]:
        Moniker Privacy Services ONEMEDIACLICK.COM@domainservice.com
        Moniker Privacy Services
        20 SW 27th Ave.
        Suite 201
        Pompano Beach
        FL
        33069
        US
        Phone: +1.9549848445
        Fax:   +1.9549699155


Technical Contact [3559862]:
        Moniker Privacy Services ONEMEDIACLICK.COM@domainservice.com
        Moniker Privacy Services
        20 SW 27th Ave.
        Suite 201
        Pompano Beach
        FL
        33069
        US
        Phone: +1.9549848445
        Fax:   +1.9549699155


Domain servers in listed order:

        NS1.DOMAINSERVICE.COM         208.73.210.41
        NS2.DOMAINSERVICE.COM         208.73.211.42
        NS3.DOMAINSERVICE.COM
        NS4.DOMAINSERVICE.COM

        Record created on:        2011-02-14 12:05:30.0
        Database last updated on: 2011-02-14 12:05:32.93
        Domain Expires on:        2012-02-14 12:05:31.0

The web site of  Onemediaclick:

These guys are, according to the address on the site, located in Switzerland. When trying to contact them through the web form, nothing happens. The <form> tags are not included in the web form when looking at the source. Seems to me that this whole business can not be trusted.

7 thoughts on “Download Adobe Reader 10 Alternative scam

  1. Nice post. Just as a FYI, if you replace the /pdf in the original URL with /earth or /tv, you’ll get similar scams.

    Same deal with mails like “Limewire shut down ? We have the alternative”, same scam, same payment domain.

    • So far we haven’t seen the other “offers” in emails that we have intercepted but it is really good to know that it exists. Thanks for the tip regarding replacing PDF in the URL.

  2. THEY ARE BACK! I JUST RECEIVED THIS TODAY OUT OF THE CLEAR BLUE

    —–Original Message—–
    From: Adobe Systems Incorporated
    To:
    Sent: Mon, May 9, 2011 3:28 am
    Subject: Adobe PDF Reader Software Upgrade Notification

    ADOBE PDF READER SOFTWARE UPGRADE NOTIFICATION

    This is to remind that a new version of Adobe Acrobat Reader with enhanced features for viewing, creating, editing, printing and internet-sharing PDF documents has been released.

    To upgrade your application:

    + Go to : http://www.2011-acrobat-reader-upgrade.com
    + Download and upgrade your application.

    Copyright 2010 Adobe Systems Incorporated. All rights reserved.

    Adobe Systems Incorporated
    Attn: Change of Address/Privacy
    343 Preston Street
    Ottawa, ON K1S 1N4
    Canada.

    This message was intended for:
    You were added to the system May 8, 2011. For more information
    click here.
    Update your preferences | Unsubscribe

  3. I to have received this email, from “support@email.adobe.com (AnnSacks@interiors.kohlernews.com) subject: Lastest Acrobat PDF Reader Has Been Released! Upgrade Now

    link takes me to my-adobe-pdf-upgrade.com, then proceeds to offer it’s yearly rates for the download.

Comments are closed.