Debunking email hoaxes and exposing Internet scams since 2003!


Hoax-Slayer Logo Hoax-Slayer Logo

DividerDivider
Home    About    New Articles    RSS Feed    Subscriptions    Contact
DividerDivider
Bookmark and Share









Issue 114 - May 2011 - Page 3

Fake Order Notification Emails Carry PDF Exploit

Issue 114 Start Menu

Previous Article            Next Article

Outline
Emails purporting to be from various organizations, including Broadcast Music, Puremobile, Bobijou and Warner Music, claim to be order notifications about recent purchases and advise recipients to open an attached PDF to review purchase information.



Brief Analysis
The emails are not genuine order notifications and they do not originate with the organizations named in the messages. The attachments are maliciously crafted PDF's that can exploit vulnerabilities in some versions of Adobe Reader. If the vulnerabilities are exploited when the attachment is opened, more malware can be downloaded and installed.

Bookmark and Share
Detailed analysis and references below example.



Scroll down to submit comments
Last updated: 6th April 2011
First published: 6th April 2011
Article written by Brett M. Christensen
About Brett Christensen and Hoax-Slayer


Examples
Subject: Your Order No 887154 - Broadcast Music, Inc.

Thank you for ordering from Broadcast Music, Inc.

This message is to inform you that your order has been received and is currently being processed.

Your order reference is 887154. You will need this in all correspondence. This receipt is NOT proof of purchase. We will send a printed invoice by mail to your billing address.

You have chosen to pay by credit card. Your card will be charged for the amount of 940.00 USD and "Broadcast Music, Inc." will appear next to the charge on your statement. l

Your purchase information appears below in the file.

Broadcast Music, Inc.


Subject: Subject: Your Order Id 92339 | Puremobile Inc.

Thank you for ordering from Puremobile Inc.

This message is to inform you that your order has been received and is currently being processed.

Your order reference is 4813.

You will need this in all correspondence.
This receipt is NOT proof of purchase.
We will send a printed invoice by mail to your billing address.

You have chosen to pay by credit card.
Your card will be charged for the amount of 705.00 USD and "Puremobile Inc." will appear next to the charge on your statement.
Your purchase information appears below in the file.


Subject: Successfull_Order 847664

Thank you for ordering from Bobijou Inc.

This message is to inform you that your order has been received and is currently being processed.

Your order reference is 116357.
You will need this in all correspondence.

This receipt is NOT proof of purchase.
We will send a printed invoice by mail to your billing address.

You have chosen to pay by credit card.
Your card will be charged for the amount of 771.00 USD and “Bobijou Inc.” will appear next to the charge on your statement.

You will receive a separate email confirming your order has been despatched.

Your purchase and delivery information appears below in attached file.

Thanks again for shopping at Bobijou Inc.


Subject: Your Order Warner Music Inc.

Thank you for ordering from Warner Music Inc. This message is to inform you that your order has been received and is currently being processed.

Your order reference is Warner Music Inc. You will need this in all correspondence.

This receipt is NOT proof of purchase. We will send a printed invoice by mail to your billing address. You have chosen to pay by credit card.
Your card will be charged for the amount of 629.00 USB and "Warner Music Inc." will appear next to the charge on your statement.

Your purchase information appears below in the file.




Detailed Analysis
Malware emails masquerading as product order notifications are currently being distributed. The messages purport to be from several different organizations, including Broadcast Music, Puremobile, Bobijou and Warner Music. The emails claim that the recipient's credit card has been charged for a recent purchase and that more information about the purchase is available in an attached PDF.

However, the organizations mentioned in the messages did not send them as claimed. And the claims that the recipient's credit card has been charged for a purchase from one of these organizations is untrue. The fake order notifications are designed to trick recipients into opening a malicious attachment.

The attachment contains a maliciously crafted PDF that can exploit vulnerabilities in some older versions of Adobe Reader. If the vulnerabilities are successfully exploited when the attachment is opened, a malicious executable file can be downloaded from an external server. This malware can, in turn, download even more malware components.

The criminals responsible for this malware attack rely on the fact that many people, surprised and concerned by what they believe to be an unauthorized transaction on their credit card, are likely to open the attachment without due care and attention.

Criminals have repeatedly used such tactics to distribute malware. Fake purchase order malware campaigns similar to this are likely to continue. Such campaigns are often successful because perfectly legitimate online payment systems will very often send out order notifications to customers after a purchase has been made. Thus, people who buy online and regularly receive purchase notifications via email may be inclined to believe that the malware messages are genuine. Be very cautious of any email that claims that your credit card or bank account has been charged for something that you did not buy. If you receive such an email, do not open any attachments that come with the email. Do not follow any links in the message as they may lead to malicious websites. If in doubt about a purchase notification email, check with the company directly rather than opening an attachment or following a link.

In order to minimize the risk of succumbing to software exploits, users should always ensure that they are using the most updated versions of programs such as Adobe Reader. They should also ensure that the latest operating system security updates are installed and use virus and malware security software along with a firewall.

Bookmark and Share References
Malicious PDFs Distributed by Fake Warner Music and Cell Phone Orders
Dell Online Store Trojan Email
Win32/Pdfjsc
Malware emails with fake cellphone invoice



Previous Article            Next Article

Issue 114 Start Menu

Pages in this month's issue:
  1. False Warning - Do Not Add 'Jason Lee' Because Its a Virus
  2. Amber Alert Hoax - Fake '72B 381' Abduction Alert Continues To Circulate
  3. Fake Order Notification Emails Carry PDF Exploit
  4. Padlock on Facebook Home Page Hacker Warning Hoax
  5. Tsunami Deep Sea Creatures Email
  6. Hoax News Report - Japan to End Whaling
  7. Visa Card Violated Phishing Scam
  8. Facebook 'Virus' Alert - Twilight the Movie Link 'Worst Virus Ever' According to Facebook and CNN
  9. Prayer Request for Injured Soldier Tony Mullis
  10. Inaccurate Warnings Claim ALL 'bit.ly' Links Are Suspect and Should not be Clicked
  11. Facebook Non Secure Browsing Warning
  12. Facebook 'Trojan' Warning - Girl Who Killed Herself In Front Of Web Cam Video
  13. Do Circulating Photographs Show a Mass Fish Death In California Caused by the Japanese Tsunami?
  14. Facebook Rogue App Survey Scam - BBC News Check What She Did on Cam
  15. Google Promotion Award Advance Fee Scam
  16. Facebook "Your Password is Not Safe" Malware Email