Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Symantec Intelligence

New Phishing Attack Guised as Fake PDF Reader Update

Created: 07 Jul 2010
MarissaVicario's picture
0 0 Votes
Login to vote

Posted on behalf of Mathew Nisbet, Malware Data Analyst and Jo Hurcombe, AV Operations Engineer, Symantec Hosted Services

On the June 18, MessageLabs Intelligence spotted a new malicious email attack, using PDFs as a hook. A little different to the usual PDF related e-mails, this doesn’t attempt to exploit vulnerabilities in the PDF format, or attempt to get the victim to download malware masquerading as a new PDF reader. Instead, this one is after credit card details.

The email tells you that there is a new version of their PDF reader available, and gives a bit of a sales pitch for this new software.

Clicking on the link takes the recipient to a professional-looking page made to advertise the fictitious software.

Clicking on the download link takes the victim to a different site altogether, which asks for some personal details. The URL claims to be a secure signup, though it uses no encryption whatsoever. The section to the left explains that once a member, the recipient is entitled to "free" software.

Once the required details are entered, the victim is taken to a page to select "membership options.” Note the free gift and special discount advertised to the left is only valid for a few more hours – a social engineering tactic that adds an incentive for the victim to continue the process.

As there is only one option to pay for membership, the victim must click it to proceed. A payment page then comes up which includes the logos of the top credit card providers, and the logos of their secure payment systems to try and convince the victim that everything is safe and secure. In reality, this page is still using plain http with no encryption.

If a victim has gotten this far, and enters their credit card details, then they will be disappointed. Instead of receiving their free software, they just get told that their IP or Credit Card have been blacklisted.

Since first seeing this scam on June 18, there were very few each day. But on the June 30, we intercepted more than 13,000! In total we have stopped over 26,000 of these fake "PDF Reader Update" phishing attack emails.

Sites like this are very dangerous. They look legitimate, and could easily fool an unsuspecting user in to handing over their details. It could also be easily modified to infect the user with malware by offering an infected download at the end of the process, or by attempting a "drive by" attack anywhere on the site.

Any unsolicited email received from an unknown source should be treated as highly suspicious, especially one that requires visiting an external page by clicking a link. Also, any site that is asking for money, if it is not using SSL encryption (the URL should start with https, and there should be a padlock icon at the bottom of the browser) is not secure, no matter what it claims. Even if the site does use SSL, that does not guarantee security as the site itself could be designed specifically to harvest personal information, like the one described in this post.

Be careful, use caution and watch for signs of scams, keep your anti-virus software up to date, and you won't be a victim of this kind of attack.