Google Picasa scam


MX Lab, http://www.mxlab.eu, reported earlier regarding emails that offer an alternative to the official Adobe PDF Reader and the VOIP add ons for Skype.

It now seems that Google Picasa is the next victim of the same type of scam. We intercepted a few messages with the subject “The iTunes of Photo Organization” coming for the email address Picture Tools <megantivir@aphyet.com>. This is the message:

The message has a download URL in the format hxxp://aphyet.com/re.php?lnk=1203683910&e=****.****@****.be. Following the link takes us to hxxp://officialversion.su/pics/1/index.asp?aff=11677&camp=esp_may09hld_picasa_jun10 with the following web site:

Notice the button on the right “Download Picasa” now and the mention of 24/7 support. This is very familiar and did ring a bell at the MX Lab HQ. We started to investigate the web site further.

We found a registration and order process very similar to the past cases with the Adobe PDF Reader 2011 and the VOIP add ons for Skype.

The payment transaction appears to be processed on an unsecure HTTP connection but a look into the HTML learns us that the payment form in embedded in an <iframe> and the form is processed by hxxps://secure-signupway.com/p06/?siteid=6882. This domain is know for fraudulent payment processing so your credit card details will end up in the wrong hands.

As expected, the domain license details are protected and the domain is registered a few days ago.

Domain Name: APHYET.COM 

Registrant:
    PrivacyProtect.org
    Domain Admin        (contact@privacyprotect.org)
    ID#10760, PO Box 16
    Note - All Postal Mails Rejected, visit Privacyprotect.org
    Nobby Beach
    null,QLD 4218
    AU
    Tel. +45.36946676

Creation Date: 06-Jun-2011  
Expiration Date: 06-Jun-2012

Domain servers in listed order:
    ns1.reg.ru
    ns2.reg.ru

Administrative Contact:
    PrivacyProtect.org
    Domain Admin        (contact@privacyprotect.org)
    ID#10760, PO Box 16
    Note - All Postal Mails Rejected, visit Privacyprotect.org
    Nobby Beach
    null,QLD 4218
    AU
    Tel. +45.36946676

Technical Contact:
    PrivacyProtect.org
    Domain Admin        (contact@privacyprotect.org)
    ID#10760, PO Box 16
    Note - All Postal Mails Rejected, visit Privacyprotect.org
    Nobby Beach
    null,QLD 4218
    AU
    Tel. +45.36946676

Billing Contact:
    PrivacyProtect.org
    Domain Admin        (contact@privacyprotect.org)
    ID#10760, PO Box 16
    Note - All Postal Mails Rejected, visit Privacyprotect.org
    Nobby Beach
    null,QLD 4218
    AU
    Tel. +45.36946676

Our recommendation is not to fill in any credit card details – your credit card details will likely be abused –  and download this software. Please note that for the real Picasa you need to go to the Google web site at http://picasa.google.com/. And it’s free.

2 thoughts on “Google Picasa scam

Comments are closed.