Symantec reports that phishers are praying on people unhappy with Adobe Reader and are advertising fake software to replace it. Users are lured with promises of a free PDF reader alternative, but end up having their credit card details stolen.
"A little different to the usual PDF related e-mails, this [attack] doesn’t attempt to exploit vulnerabilities in the PDF format, or attempt to get the victim to download malware masquerading as a new PDF reader. Instead, this one is after credit card details. The email tells you that there is a new version of their PDF reader available, and gives a bit of a sales pitch for this new software," security researchers from Symantec's Hosted Services (MessageLabs),
warn.
The link included in the spam emails takes users to a well designed and professional looking website. The first page includes details about the PDF format and describes the program's set of features. Visitors are encouraged to click on a big "Download now" button to obtain the software.
Clicking on the button does not initiate any download, but instead opens a third-party page informing users that they need to register as members before receiving a free copy of the program. Signing up requires an e-mail address, full name and country.
Submitting this information redirects users to yet another external site revealing that the software is free, but the membership is not. This page provides several membership options that are priced differently and entice people to continue with a free Office Suite gift.
Even if at this point many users realize the scam and quit, the attackers have gathered enough information about them to use in future targeted spam campaigns. Meanwhile, the ones who decide to pay for membership and click the "CreditCard" button will be presented with a form where they can give away their credit card details, all in exchange for an error message claiming their IP is blacklisted.
The spam campaign started sometime around June 18, but the junk mail output has been fairly modest at first. However, since then, Symantec has detected traffic spikes on two separate occasions - first between June 22 and June 24, and a second time between June 29 and July 1. It is possible that similar spikes will occurs in the future, as the scammers move to different domains.
You can follow the editor on Twitter @lconstantin
Find us on Google+
