Adobe 0-days are not the only way in which you can be bitten by a PDF.
Back in March 2009 I blogged here about some spam I was receiving at the time offering various items of software, notably PDF managers and Office applications (to be precise, Open Office). It caught my attention at the time because one of the mails I received offered what looked very much like a fake antivirus program. My conclusion at the time, after some discussion with other security people, was that the scam was probably aimed at re-selling free software, with some risk of misuse of the credit card and other details that you were required to enter onto a web form, and that the fake AV issue was simply that "…if you’re happy to make money by pretending to provide software, including security software, you’re not going to be concerned about whether it’s real or fake software you’re spoofing."
I haven't seen it for a while, but this sort of stuff has clearly not gone away. At any rate, a very similar message was forwarded to a specialist security list today, offering something claiming to be a PDF convertor/generator package and offering a free copy of an Office suite which, looking at the web site, turns out to be Open Office. (Surprise!) Furthermore, I found a number of clones of the same site, suggesting that the guys responsible expect to be shut down, and it includes a registration process that leads to a request for credit card and other details.
Past experience suggests that there are several ways to be bitten by sites like this:
- Paying for software that's actually free
- Paying for software that turns out to be malicious
- Parting with credit card and other data likely to be misused for other types of scam
I plan to look at this one in more detail shortly, but in the meantime, I suggest that you look at stuff like this with an extremely jaundiced eye. Adobe 0-days are not the only way in which you can be bitten by a PDF.
[Tip of the hat to Jim Fenton for the heads-up]
David Harley FBCS CITP CISSP
Research Fellow & Director of Malware Intelligence
ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter:
ESET White Papers Page: http://www.eset.com/download/whitepapers.php
Securing Our eCity community initiative: http://www.securingourecity.org/
Also blogging at: