Sunday, December 12, 2010

Now here's a good social engineering phish

Just got this in my e-mail:



INTRODUCING UPGRADED ADOBE ACROBAT 2011

Dear Customers,

Adobe is pleased to announce new version upgrades for Adobe Acrobat 2011. 
http://www.2011-adobe-pdf-reader.org

Advanced features include:

- Collaborate across borders
- Create rich, polished PDF files from any application that prints
- Ensure visual fidelity
- Encrypt and share PDF files more securely
- Use the standard for document archival and exchange

To upgrade and enhance your work productivity today, go to:
http://www.2011-adobe-pdf-reader.org

To leave comments, please contact us at: comments@2011-adobe-pdf-reader.org

Best regards,

Tom Norman
 
Adobe Acrobat Reader

Copy rights © Adobe Acrobat 2011 - All Rights Reserved
Website:
http://www.2011-adobe-pdf-reader.org



Looks good, doesn't it?

Now, let's think a little critically.

I would expect contact from Adobe to come from adobe.com, not 2011-adobe-pdf-reader.org.  And how did they get my direct e-mail when to my knowledge to you never have to register to use Acrobat Reader?

A DNS lookup on 2011-adobe-pdf-reader.org shows:

Domain ID:D160899709-LROR
Domain Name:2011-ADOBE-PDF-READER.ORG
Created On:11-Dec-2010 08:34:29 UTC
Last Updated On:11-Dec-2010 08:34:39 UTC
Expiration Date:11-Dec-2011 08:34:29 UTC
Sponsoring Registrar:Regional Network Information Center, JSC dba RU-CENTER (R148-LROR)
Status:CLIENT TRANSFER PROHIBITED
Status:TRANSFER PROHIBITED
Status:ADDPERIOD
Registrant ID:JQ3S5X0-RU
Registrant Name:Zeus Marketing Service
Registrant Organization:Zeus Marketing Service
Registrant Street1:MTC Media Unit GF 6B,Brown Street
Registrant Street2:
Registrant Street3:
Registrant City:Dundee
Registrant State/Province:
Registrant Postal Code:DD1 5EG
Registrant Country:GB
Registrant Phone:+44.1382206023
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:domain@adobe.com

 
Hmm, Zeus Marketing Service?  In Dundee, Great Britain?  Smells very fishy.  Interesting registrant e-mail, but you can enter anything there.

Let's go to the website and have a look.  You can do this safely.


Not bad, although the graphics are not quite Adobe corporate.  What's that you say?  Yes, the domain has changed - 2011-adobe-pdf-reader.org has redirected to new-2011-pdf-download.com !  Gee, all reference to both Adobe and Acrobat gone.  Let's have a little DNS lookup, shall we?

Domain name:             NEW-2011-PDF-DOWNLOAD.COM
Name Server:             ns10.dnsmadeeasy.com
Name Server:             ns11.dnsmadeeasy.com
Creation Date:           2010.11.23
Expiration Date:         2011.11.23

Status:                  DELEGATED

Registrant ID:           G2GSV3U-RU
Registrant Name:         Consesores De Importadores De Machina Independente
Registrant Organization: Consesores De Importadores De Machina Independente
Registrant Street1:      suite 310
Registrant City:         Panama City
Registrant Postal Code:  n/a
Registrant Country:      PA

Administrative, Technical Contact
Contact ID:              G2GSV3U-RU
Contact Name:            Consesores De Importadores De Machina Independente
Contact Organization:    Consesores De Importadores De Machina Independente
Contact Street1:         suite 310
Contact City:            Panama City
Contact Postal Code:     n/a
Contact Country:         PA
Contact Phone:           +1 507 5523371
Contact E-mail:          markpetersemail@gmail.com

Ah, now that's more like what we expected to find.  International wog-language registrant out of Panama with a fly-by-night $20 a year domain host and a throwaway gmail address.

Anybody wanna download it and see what it does?  I'll be patient waiting for the reply, you may need to reformat afterwards.  ;-)

6 comments:

  1. good catch. got the same email and also a few variants such as:

    Dear valued Skype users,

    This is to notify that new VoIP and Conversation Recording addons have been released for Skype.

    Following are major new features:
    http://www.skype-2011-software.org

    different name, same scam. problem is, for the less critical amongst us, it's entirely believable. most peeps have skype and acrobat reader so unless you're on the ball, the phisers are likely to get a net full of catches.

    ReplyDelete
  2. good catch too, I actually got that same e-mail about an hour ago.

    skype-2011-software.org redirects to 2011-voip-new-download.com which is, perhaps unsurprisingly, registered to the same scumbag.

    Domain name: 2011-VOIP-NEW-DOWNLOAD.COM
    Name Server: ns10.dnsmadeeasy.com
    Name Server: ns11.dnsmadeeasy.com
    Creation Date: 2010.11.26
    Expiration Date: 2011.11.26

    Status: DELEGATED

    Registrant ID: G2GSV3U-RU
    Registrant Name: Consesores De Importadores De Machina Independente
    Registrant Organization: Consesores De Importadores De Machina Independente
    Registrant Street1: suite 310
    Registrant City: Panama City
    Registrant Postal Code: n/a
    Registrant Country: PA

    Administrative, Technical Contact
    Contact ID: G2GSV3U-RU
    Contact Name: Consesores De Importadores De Machina Independente
    Contact Organization: Consesores De Importadores De Machina Independente
    Contact Street1: suite 310
    Contact City: Panama City
    Contact Postal Code: n/a
    Contact Country: PA
    Contact Phone: +1 507 5523371
    Contact E-mail: markpetersemail@gmail.com

    ReplyDelete
  3. I also have received this email today and thought it was very phishy as well... Cuz like, if it was an official Adobe email, they wouldn't put someone's name on it that openly would they? So I Googled to confirm my suspicion and voila, your blog post sums it up very nicely. Well done Sir, you've made the world a little nicer to live in today. :)

    (Well done to Hotmail as well for correctly recognising the email as junk :P)

    ReplyDelete
  4. I received the same email and i thought it was strange :

    Download New Adobe Acrobat 2011 PDF Reader Alternative
    De :
    Adobe Acrobat Reader

    INTRODUCING UPGRADED ADOBE ACROBAT 2011

    Dear Customers,

    Adobe is pleased to announce new version upgrades for Adobe Acrobat 2011.
    http://www.adobe-releases.com

    Advanced features include:

    - Collaborate across borders
    - Create rich, polished PDF files from any application that prints
    - Ensure visual fidelity
    - Encrypt and share PDF files more securely
    - Use the standard for document archival and exchange

    To upgrade and enhance your work productivity today, go to:
    http://www.adobe-releases.com

    To leave comments, please contact us at: comments@adobe-releases.com

    Best regards,

    Tom Norman

    Adobe Acrobat Reader
    Copy rights © Adobe Acrobat 2011 - All Rights Reserved
    Website: http://www.adobe-releases.com

    Thanks to all of you. This email in my box will be destroyed in a minute !

    ReplyDelete
  5. I received the same email and i thought it was strange :

    Download New Adobe Acrobat 2011 PDF Reader Alternative
    De :
    Adobe Acrobat Reader

    INTRODUCING UPGRADED ADOBE ACROBAT 2011

    Dear Customers,

    Adobe is pleased to announce new version upgrades for Adobe Acrobat 2011.
    http://www.adobe-releases.com

    Advanced features include:

    - Collaborate across borders
    - Create rich, polished PDF files from any application that prints
    - Ensure visual fidelity
    - Encrypt and share PDF files more securely
    - Use the standard for document archival and exchange

    To upgrade and enhance your work productivity today, go to:
    http://www.adobe-releases.com

    To leave comments, please contact us at: comments@adobe-releases.com

    Best regards,

    Tom Norman

    Adobe Acrobat Reader
    Copy rights © Adobe Acrobat 2011 - All Rights Reserved
    Website: http://www.adobe-releases.com

    Thanks to all of you. This email in my box will be destroyed in a minute !

    ReplyDelete
  6. I believe there is also a similar scam based around Dell doing the rounds, but I haven't seen one yet.

    ReplyDelete

Please be aware that all comments are moderated so if you're a scumbag spammer then I suggest not wasting your time. Your spam will not be seen by anyone.

Note: Only a member of this blog may post a comment.