Piggybacking on Adobe Acrobat and others
Yesterday, Adobe unveiled the next version of its Acrobat software: Adobe Acrobat X. The version is set to hit the market within 30 days. Among other features, the version is going to include a very important security feature that will allow users to view documents safely within a sandbox environment, adding a layer of protection to the product. Until the new version is released, there will be a lot of talk about it, which presents an opportunity to cyber criminals.
"Piggybacking" software has been circulating for some time now, and the upcoming Adobe Acrobat X launch is a great opportunity for it to rear its ugly head again. The term "piggybacking software" refers to programs that use the reputation of popular free or paid software to sell the exact same software under false pretences (for example, by claiming that it has enhanced features), or to sell slightly different software with limited added functionality. In both cases, the software is presented in a misleading way as an updated version of the genuine software.
Piggybacking software is usually found on Web sites that:
1. Are very low reputation sites or template sites
2. Use the original software brand name, themes, and colors
3. Present the same features the original free software or service
4. Sell the same features the original software or service offers, possibly adding very limited functionality
5. Spread through spam, Web spam, or proxy Web sites
6. Are not affiliated with the offered software or service, and have a limited refund policy, if any
The table shows an example of what is meant by low reputation. All the sites in the table below sell piggyback software. At some point, all of the sites shared the same IP address, registered for a relatively short period of time, used the same templates with various different names, and used the anonymous domain registrar "Domains By Proxy." You can see Adobe is a popular target, but there are also others:
Hostname |
Website exists for |
Target |
download-2010-version.com |
4 months+ |
Adobe Acrobat |
latest-2010-version.com |
4 months+ |
Adobe Acrobat |
latest-new-pdf-download.com |
20 days |
Adobe Acrobat |
new-earth-online.com |
1 month+ |
Google Earth |
new-online-version.com |
5 months+ |
Limewire |
official-pdf-download.com |
2 months+ |
Adobe Acrobat |
official-pdf-pro.com |
2 months+ |
Adobe Acrobat |
official-pdf2010.com |
2 months+ |
Adobe Acrobat |
official-pdfdownload.com |
2 months+ |
Adobe Acrobat |
pdf-new2010.com |
4 months+ |
Adobe Acrobat |
pdfreader--2010.com |
4 months+ |
Adobe Acrobat |
the-movie-downloads.com |
5 months+ |
Generic / Streamer |
watch-hd-movies-online.com |
1 month+ |
Generic / Streamer |
www.online-tv-on-pc.com |
28 days |
Generic / Streamer |
www.pdf-new-2010-download.com |
20 days |
Adobe Acrobat |
This is how piggyback scams generally work: The entrepreneurs (criminals, to be more precise) establish a software Web site where they sell piggyback software. They take care of the site's design, payment processing, the availability of the Web site, etc. They want to "spread the word" about the new site and get revenue. This is where spammers come in. They form a relationship with the entrepreneurs to create spam linking to the new Web site for a cut of the sales. The entrepreneurs are more exposed, so they are also more cautious. They protect themselves with license and term of service agreements. So they delegate the distribution responsibilities to spammers, who take more aggressive approaches since they're more anonymous and not affiliated officially with the Web site.
Here is an example of a very recent, related spam message. Note the subject, and where's it is from:
Action Required : Upgrade Your New PDF Acrobat Reader
(Click on the images to see bigger versions)
Users that click the www.adobe-software-upgrade.com link are instantly redirected to the site below, pdf-new-2010-download.com. This is the entrepreneur site:
In the picture above you can see the user is also enticed with a "FREE OFFICE SUITE," which is another piece of widely-available free software. Clicking the download button redirect buyers to a a page that collects their email address, name, and location. Once those details are submitted, the buyer is redirected to the payment site secureonline.ru which is also part of the scam:
We have seen hundreds of thousands of these messages, and the spam campaign is still ongoing. You might think that after seeing hundreds of thousands of messages, the spamming affiliate might get blocked by its partner, but, similar spam messages are still being sent out. They just use different domains that lead to the entrepreneur site with the same affiliate ID. It's easy money. In this case, the 2-day-old domain www.adobe-acrobat-sofware.com is used:
Here are more visual examples of spammed piggyback software that profiteer from Skype (voip-online-access-now.com) and Google Earth (new-earth-online.com) respectively:
So who is the targeted in those kinds of scams? It isn't Joe Internet, who knows a thing or two about software. The ideal targets are novice Internet users--ideally the ones just starting to discover the Internet and its offerings.
While we might take the Internet for granted, not everyone does. Some are dazzled, and believe it's innocent and all good. This could come from misinformation or naivety, but a lot of us were that way when we started out. So the target market is always there, and the fact that these attacks have been going on for a long time means they pay off. So this is an opportunity to advise people with a little less Internet experience than us to be a bit more aware and add an extra pinch of suspicion and doubt to their online shopping activities.