Piggybacking is certainly not a new problem, but it does show that even trusted software has to be approached with eyes wide open.
If you aren't familiar with piggybacking, the CrexTechs blog describes it well:
[I]t is the procedure whereby you are downloading one software application and another is attached to it and you usually have to say "no" to the other app otherwise you get both.
The entrepreneurs (criminals, to be more precise) establish a software Web site where they sell piggyback software. They take care of the site's design, payment processing, the availability of the Web site, etc. They want to "spread the word" about the new site and get revenue. This is where spammers come in. They form a relationship with the entrepreneurs to create spam linking to the new Web site for a cut of the sales. The entrepreneurs are more exposed, so they are also more cautious. They protect themselves with license and term of service agreements. So they delegate the distribution responsibilities to spammers, who take more aggressive approaches since they're more anonymous and not affiliated officially with the Web site.
With that in mind, Websense warned that the release of Adobe Acrobat X is likely a prime target for a piggyback scam. The blog site showed screen shots of notifications to download the new Acrobat software, except it isn't the Adobe site. The blog added:
We have seen hundreds of thousands of these messages, and the spam campaign is still ongoing. You might think that after seeing hundreds of thousands of messages, the spamming affiliate might get blocked by its partner, but similar spam messages are still being sent out. They just use different domains that lead to the entrepreneur site with the same affiliate ID. It's easy money. In this case, the 2-day-old domain www.adobe-acrobat-sofware.com is used.
Best advice: Go to the actual software company's website before downloading anything.