Two Clever Phishing Attempts

Category: Security

Among the phishing techniques making the rounds, the 'desperately needed user manual' trick is a reliable favorite. If you’ve ever searched online for the user manual of an older computer, household appliance, stereo system, etc., you’ve probably encountered this one. Another recent reprobate is the Google Docs scam. Let’s see how both of them try to trick you...

Pssst... We Got Yer User Manual Right Here!

So you bought a used gizmo from a guy on eBay or Craigslist. The seller doesn’t have a user manual for it but you figure you can find one online in PDF format. You go to the manufacturer’s website but that model is no longer supported; the manual isn’t available. So your next step is to Google the model number and “user manual,” right? That’s when the fun starts.

The people who run these scams pay to be first in Google search results. Their search summaries are dynamically tailored to your search terms so they appear to be offering exactly what you need. “Download user manual for Bosch HES432U…” Heck yeah, you got lucky on your first try! So you click that link and a download starts instantly, instead of taking you to a Web page you could check out carefully.

But that’s OK because the file you’re receiving is just a PDF file; a document, not an executable program that can do things to your hard drive or gather up your email contacts, credit card numbers, bank account passwords, etc., and send them to some dark server in the Ukraine. It’s just a harmless user manual, right? RIGHT?
User Manual Phishing

Probably not; PDF files can contain executable code. The download may actually be an EXE file disguised as a PDF. When you open such a file, it may attempt all of the nefarious actions mentioned above and more. Good anti-malware software will detect and block such auto-executing PDF files. Scammers depend in part on lazy people who don’t have anti-malware protection or don’t keep it up to date; they catch a lot of fish that way. But there are other hooks in the bait as well.

That file, user_manual_for_HES432U.pdf, may contain only an excerpt or abstract of the user manual you’re seeking. It whets your appetite for the full manual and makes you impatient because you just came THAT close to getting what you need. Impatient people make mistakes, like clicking on the link at the end of this sales pitch that says, “Install Conduit to get your user manual.”

Conduit: "A means of transmitting or distributing"

“Conduit Search” is a widespread piece of malware that hijacks your browser. And it's aptly named, because it transmits and distributes all kinds of nasty stuff. It resets your homepage to one the scammer selects; changes your default search engine to; and transmits all of your search queries to a third-party who uses that data for "marketing" purposes. Some say that having Conduit installed may lead to “spear phish” emails that target victims with highly personalized and tempting email spam.

Once installed, Conduit will substitute ads from its paying customers into the search results you get from Google and other ad-supported search engines. When you click on one of those ads, Conduit and its underhanded customers make money.

Conduit will also invisibly manipulate search results so that its customers appear first instead of the firms that your preferred search engine would prioritize. This is so subtle that most users don’t detect anything amiss. People pay Conduit well for biased, sometimes wildly inaccurate placement in search results. For you, the consequence is a lot of time wasted clicking on results that have little to do with your search, and possibly downloading more malware.

Conduit is nasty stuff, and many unscrupulous websites distribute it under the false guise of user manuals. And sadly, some well-known (and formerly trustworthy) download sites such as CNET and Tucows lace their downloads with Conduit. See my related article Downloading? Watch Out For These Danger Signs.

Fortunately, Conduit is well-known malware that many top-tier free anti-malware programs know exactly how to handle. To get rid of a Conduit infection, you need to uninstall its standalone program and then uninstall the Conduit Toolbar and any other malware that Conduit may have added to your browser.

Uninstalling the “Search Protection by Conduit” malware is a routine task; just open Control Panel and use the “Uninstall a program” (Windows 7) or “Add/Remove program” (Windows XP) function to select and remove “Search Protection by Conduit.” While you have that uninstall utility open, use it to remove any other unfamiliar or unwanted programs that you may find.

If neither your existing security software nor the Windows uninstall method cleans up the mess, there are tedious manual (pardon the pun) ways of removing the junk that Conduit adds to your browser, but I prefer to let our trusted friend MalwareBytes Anti-Malware do it automatically. I've written about MBAM previously, in Is MBAM Enough Security?

The Google Docs Phish

I want to also mention a similar scam that's making the rounds, targeting Google account user names and passwords. But instead of getting you to download something you actually searched for, this one is proactive, and often comes to you from a known contact.

The Google Docs phishing attempt will arrive as an email asking you to “click here” to review an important document. It says the document is waiting for you on Google Docs, and all you need to do is sign in with your email address and password. From here, it's the classic "rogue website that looks just like the real one, but actually exists only to steal your username and password" scenario.

Submitting the form with your login credentials sends that information to the hackers, who now have the keys to your Google account. They can impersonate you online; raid your contacts; even send more spam or phishing emails that appear to be from you. Bottom line, don't click before engaging brain.

Have you been a victim of the “user manual phish" or the "Google Docs phish"? Post your comment or question below...

Ask Your Computer or Internet Question

  (Enter your question in the box above.)

It's Guaranteed to Make You Smarter...

AskBob Updates: Boost your Internet IQ & solve computer problems.
Get your FREE Subscription!


Check out other articles in this category:

Link to this article from your site or blog. Just copy and paste from this box:

This article was posted by on 13 Feb 2014

For Fun: Buy Bob a Snickers.

Prev Article:
Geekly Update - 12 February 2014

The Top Twenty
Next Article:
What is the Internet of Things?

Most recent comments on "Two Clever Phishing Attempts"

(See all 21 comments for this article.)

Posted by:

13 Feb 2014

Haven't been a victim, but have seen exactly what you say when looking for manuals. Also have seen the 'conduit' episode many times on friends computers when they complain how slow they are. Good article Bob. (¯`·._.·ns¢ävË·._.·´¯)®

Posted by:

13 Feb 2014

Rings a little too close to home Bob....

Just waiting for the next phone call from our 72 year old aunt - her computer started popping up p**n whenever she opened the browser a couple of weeks ago.

She has anti-virus installed BUT it's Norton which decided it would stop during an update and has 'missing bits' - she's on dial-up and even virus definitions take hours sometimes to download.

There is another 'sligh' problem. We are in Cardiff, Wales, UK and she is in Northern California.

Luckily it's near her birthday so we're trying a Fix-it-stick that she can update at her aunt's (92 and still going strong) who she cares for most of the week. Then it's a plug in to the desktop at home and ...... maybe..... fixed.

Copuuter fixing with older relations at 6000 miles distance must be a record!


P.S. On the other hand it's what you do every day isn't it?

Posted by:

13 Feb 2014

Bob ... Thanks, again for another very interesting article! Wow ... I was aware of "Phishing", even before I knew that it was called Phishing. Back in the late 90's, I got an email, from Regions Bank, asking about the information, for my account ... password and etc.. Bottom line ... I have NEVER had an account with Regions Bank!!! So, I knew something was very wrong and bad, with this email.

I just deleted it. After that, I read about Phishing and found out, how to look for the "telltale signs" and how to protect yourself. Mainly ... NEVER ... EVER give anyone your password or personal information, just because it "looks like" it came from your financial institution. One Phishing email, I really got curious about and used the "warning signs" to verify that it was infact a Phish. I also, sent the email on to the company, that was suppose to be getting information, from me. I felt, they needed to know, what was going on.

What really bothers me now ... The fact the PDFs are being used, to pass on "executable" codes, that can basically "infect" your PC or Laptop with malicious malware like the Conduit Search!!! Been there and done that, already in the past 3 months!!! Conduit Search is a very, very nasty malicious malware, that can be extremely hard to remove. Plus, it seems to keep on "expanding" with other malicious malware search engines, like Sweet Packs and etc..

No, I haven't been Phished by this ... I got this, from CNET's ... By, simply downloading an update to a program, where I have used CNET, many, many times before!!! I refuse to use CNET or ZNET and several other well known download websites ... Due to their recent practice of using Foistware, on their users.

Posted by:

13 Feb 2014

Hi there, Just received a new version of an old scam. An email arrived from a good friend, saying she was stuck in Madrid after having been attacked and robbed - needed some cash urgently to pay hotel and buy flight home. Nothing new there, but get this, when we replied (carefully asking her about a fictitious friend and non-existant relative, the scammers had intercepted the reply and sent a further plea for cash. As soon as they mentioned sending funds to Western Union I knew it was a fraud. Sorry WU but every scammer in the Ivory Coast (30% of the population!) uses WU so that is a real alarm bell ringer. Just thought you might want to spread the word, our friend's address book had obviously been hacked - as my email address does not reflect my name, there was no personal greeting, but I'd bet that if I had an email like, they would have started Hi Bob. About time we started a cyber-vigilante group? Thanks for all your good advice over the past couple of years. Ken

Posted by:

Mary Slattery
13 Feb 2014

I received a couple of really despicable phishing emails, supposedly from a funeral home about a recently deceased friend. Fortunately, all my friends are fine, so I marked it as SPAM and deleted it.

Posted by:

Lynn Holland
13 Feb 2014

Bob, thank you for another great warning about internet security. I have a friend who fell victim to the FBI hoax you warned about a while back. As I recall it cost him $400 for some techies to get rid of it for him. At my/your suggestion he now uses avast and malware bytes.

I also clicked too quickly on a CNET!!!! site and ended up with the search.conduit program installed. It was a lot of digging and searching to remove everything.

Thanks for all your great advice.

Posted by:

13 Feb 2014

Luckily I have just installed Avast on my new computer while looking for the words of an old hymn - "The Fruit Salad Chorus" After googling for the words, Avast stopped two sites I had clicked on which claimed to have the words. I wondered if McAfee, which was originally installed, would have stopped them.

Posted by:

13 Feb 2014

For those of you worried about PDF files, Foxit Reader has a safe mode, which should protect you from any nasties.

Posted by:

A Glass
13 Feb 2014

Any time I've ever needed a manual, I've gone to Retrevo to search for and download it. As far as I know, it's a reputable site.

Posted by:

13 Feb 2014

For all of those literature and parts searches plus opening links in emails that look suspicious or have no other information I use an old computer running Linux.
Much of the bad stuff out there does not affect Linux and if the system does get corrupted all I have to do is pop in the live cd and reinstall the OS.
The older versions of Ubuntu (up to and including 10.04lts) will run with 512mb of ram.

Posted by:

13 Feb 2014

I fell for a Google docs scam. An email came from a friend of mine, whose own email account was hacked. There was an uploaded video from a party the previous day. It asked for login and password, which I stupidly gave because the credentials seemed okay. And it downloaded okay too, and it was the right video. When I found out she was hijacked a couple of hours later, I quickly changed my password and luckily have suffered no harm.

Posted by:

BallyIrish Bpb
14 Feb 2014

Thanks Bop, timely reminder!

Crumbs, is there no end to the art of these phangler blokes and the accuracy with which they cast their phlies?

Posted by:

14 Feb 2014

Thanks again Bob!

I have encountered,"click here" to view an important document repeatedly. I've also been directed to a download to view information. These emails are from unknown sources. I've been ignoring both of these for quite some time now. They're quite persistent. So, I just "Delete." The information you provide is so helpful. I stop and think before I click. Then, I "Delete."

Posted by:

14 Feb 2014

This is a good opportunity to warn of the fake Yahoo Mail login panel. Mine came up unexpectedly whilst emailing as "Your Session Has Timed Out" and, of course, I logged back in using my username and password. The very next day my Contact List was attacked with 50% receiving one email and the other 50% a similar one.

I checked with my login history on Yahoo to find that both attacks came from our 'Vi*gra' Canadian

What annoyed me most was that Yahoo's computers did not take note of the fact that all my emails for the past six years had an Indonesian origin and they did not pick up on the fact that there, as clear as a bell, were two adjacent entries from Canada which should have aroused suspicion.

Of course Yahoo never replied to me when I tried to warn them of the fake login panel and, to date,
none of the forums (such as this) have highlighted this danger.

Posted by:

14 Feb 2014

I had an appointment with a new doctor yesterday and they asked me to go to their website to get the new patient paperwork to fill out before the appointment. Once I got there and clicked on New Patient Paperwork, I was surprised to see the download for Conduit pop up. I just went to the appointment early to fill out the paperwork in the office.

Posted by:

Steven Latus
14 Feb 2014

I forward all phishing attempts to and also to Fortunately, I hardly receive any phishing emails at home, but I get quite a few at work. Plain old spam I just delete, but I believe that phishing attempts deserve to be reported. It may not do any good, especially if they originate in another country, but it makes me feel like I at least have some chance of causing these miscreants a bit of trouble.

Posted by:

14 Feb 2014

I was getting a little suspicious of Download.CNET.Com after seeing all of the "Download" links on the same page. I won't use them again. Thanks.

Posted by:

Mike Foreman
14 Feb 2014

Thanks again Bob. I followed your advice and switched from AVG to Avast , much better and have been using MBAM for quite a while. I wouldn't have Norton even if it was free. Had to wipe my hard drive to get it all out. Don't start me on CNET and Conduit, can't get away from it. I back up my HDD and every so often I wipe it it and reload Windows 7. Computer runs faster too and then I pick what I wanton to reload. CNET should be put out of business. I thought Tucows was trustworthy but I won't use them again either.

Posted by:

16 Feb 2014

OK - read and noted your warning. Then a few minutes ago, my fridge stopped working. After reading this warning, I'm afraid to do what I would usually do - google my fridge's make and model to get online suggestions.
How do I do that and know my search will be a safe one? Is there a way to know? Or a safe site that has manuals?
thank you!

Posted by:

pat powers
21 May 2014

I am new subscriber. I am 87 years old and not near as computer literate as you and your followers. My computer is flooded with pop ups, IE does not work, can't receive my e-mails etc,etc.I don't know who to trust.THANK GOD I FOUND YOU.I am reading and studying every one of your e-mails. Question: What combination of free security programs do you recommend that provides overall security? Thank you ever so much. It is a relief to find sone one you trust.

EDITOR'S NOTE: Start with Avast Antivirus (free edition) and MBAM. You can find links here:

There's more reader feedback... See all 21 comments for this article.

Post your Comments, Questions or Suggestions

*     *     (* = Required field)

    (Your email address will not be published)
(you may use HTML tags for style)

YES... spelling, punctuation, grammar and proper use of UPPER/lower case are important! Comments of a political nature are discouraged. Please limit your remarks to 3-4 paragraphs. If you want to see your comment posted, pay attention to these items.

All comments are reviewed, and may be edited or removed at the discretion of the moderator.

NOTE: Please, post comments on this article ONLY.
If you want to ask a question click here.

Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter

Copyright © 2005 - Bob Rankin - All Rights Reserved
About Us     Privacy Policy     RSS/XML

Article information: AskBobRankin -- Two Clever Phishing Attempts (Posted: 13 Feb 2014)
Copyright © 2005 - Bob Rankin - All Rights Reserved