Debunking email hoaxes and exposing Internet scams since 2003!


Hoax-Slayer Logo Hoax-Slayer Logo

DividerDivider
Home    About    New Articles    RSS Feed    Subscriptions    Contact
DividerDivider
Bookmark and Share









Fake Order Notification Emails Carry PDF Exploit

Outline
Emails purporting to be from various organizations, including Broadcast Music, Puremobile, Bobijou and Warner Music, claim to be order notifications about recent purchases and advise recipients to open an attached PDF to review purchase information.



Brief Analysis
The emails are not genuine order notifications and they do not originate with the organizations named in the messages. The attachments are maliciously crafted PDF's that can exploit vulnerabilities in some versions of Adobe Reader. If the vulnerabilities are exploited when the attachment is opened, more malware can be downloaded and installed.

Bookmark and Share
Detailed analysis and references below example.



Last updated: 6th April 2011
First published: 6th April 2011
Article written by Brett M. Christensen
About Brett Christensen and Hoax-Slayer


Examples
Subject: Your Order No 887154 - Broadcast Music, Inc.

Thank you for ordering from Broadcast Music, Inc.

This message is to inform you that your order has been received and is currently being processed.

Your order reference is 887154. You will need this in all correspondence. This receipt is NOT proof of purchase. We will send a printed invoice by mail to your billing address.

You have chosen to pay by credit card. Your card will be charged for the amount of 940.00 USD and "Broadcast Music, Inc." will appear next to the charge on your statement. l

Your purchase information appears below in the file.

Broadcast Music, Inc.


Subject: Subject: Your Order Id 92339 | Puremobile Inc.

Thank you for ordering from Puremobile Inc.

This message is to inform you that your order has been received and is currently being processed.

Your order reference is 4813.

You will need this in all correspondence.
This receipt is NOT proof of purchase.
We will send a printed invoice by mail to your billing address.

You have chosen to pay by credit card.
Your card will be charged for the amount of 705.00 USD and "Puremobile Inc." will appear next to the charge on your statement.
Your purchase information appears below in the file.


Subject: Successfull_Order 847664

Thank you for ordering from Bobijou Inc.

This message is to inform you that your order has been received and is currently being processed.

Your order reference is 116357.
You will need this in all correspondence.

This receipt is NOT proof of purchase.
We will send a printed invoice by mail to your billing address.

You have chosen to pay by credit card.
Your card will be charged for the amount of 771.00 USD and “Bobijou Inc.” will appear next to the charge on your statement.

You will receive a separate email confirming your order has been despatched.

Your purchase and delivery information appears below in attached file.

Thanks again for shopping at Bobijou Inc.


Subject: Your Order Warner Music Inc.

Thank you for ordering from Warner Music Inc. This message is to inform you that your order has been received and is currently being processed.

Your order reference is Warner Music Inc. You will need this in all correspondence.

This receipt is NOT proof of purchase. We will send a printed invoice by mail to your billing address. You have chosen to pay by credit card.
Your card will be charged for the amount of 629.00 USB and "Warner Music Inc." will appear next to the charge on your statement.

Your purchase information appears below in the file.




Detailed Analysis
Malware emails masquerading as product order notifications are currently being distributed. The messages purport to be from several different organizations, including Broadcast Music, Puremobile, Bobijou and Warner Music. The emails claim that the recipient's credit card has been charged for a recent purchase and that more information about the purchase is available in an attached PDF.

However, the organizations mentioned in the messages did not send them as claimed. And the claims that the recipient's credit card has been charged for a purchase from one of these organizations is untrue. The fake order notifications are designed to trick recipients into opening a malicious attachment.

The attachment contains a maliciously crafted PDF that can exploit vulnerabilities in some older versions of Adobe Reader. If the vulnerabilities are successfully exploited when the attachment is opened, a malicious executable file can be downloaded from an external server. This malware can, in turn, download even more malware components.

The criminals responsible for this malware attack rely on the fact that many people, surprised and concerned by what they believe to be an unauthorized transaction on their credit card, are likely to open the attachment without due care and attention.

Criminals have repeatedly used such tactics to distribute malware. Fake purchase order malware campaigns similar to this are likely to continue. Such campaigns are often successful because perfectly legitimate online payment systems will very often send out order notifications to customers after a purchase has been made. Thus, people who buy online and regularly receive purchase notifications via email may be inclined to believe that the malware messages are genuine. Be very cautious of any email that claims that your credit card or bank account has been charged for something that you did not buy. If you receive such an email, do not open any attachments that come with the email. Do not follow any links in the message as they may lead to malicious websites. If in doubt about a purchase notification email, check with the company directly rather than opening an attachment or following a link.

In order to minimize the risk of succumbing to software exploits, users should always ensure that they are using the most updated versions of programs such as Adobe Reader. They should also ensure that the latest operating system security updates are installed and use virus and malware security software along with a firewall.

Bookmark and Share References
Malicious PDFs Distributed by Fake Warner Music and Cell Phone Orders
Dell Online Store Trojan Email
Win32/Pdfjsc
Malware emails with fake cellphone invoice



Last updated: 6th April 2011
First published: 6th April 2011
Article written by Brett M. Christensen
About Brett Christensen and Hoax-Slayer