LinkedIn has more than 90 million members, half of whom are located in the United States. The social network’s membership includes executives from every company listed on the 2010 Fortune 500, which makes it an ideal platform for cyber attacks. Through LinkedIn, cyber criminals can locate key people within an enterprise and target them with spam emails that place malware on their computer or steal their login credentials for email and other sensitive systems.

Sound unlikely? Well, think again.

LinkedIn Spam Targets Unwitting Users

The security team at IBM recently witnessed a malware campaign that targets LinkedIn users. It starts with a simple connect request sent to the victim’s inbox. Here is a screen capture of the email:

For comparison, this is what a real LinkedIn invitation looks like:

As you can see, they are pretty much identical. If you click the “Confirm that you know…” link on the genuine email, it takes you to LinkedIn’s website. If the same button is clicked on the fraudulent email, it takes you to a malicious website that downloads malware onto your computer.

The fraudulent website is hxxp:// (“http” was replaced with “hxxp” to avoid confusion). To avoid getting infected, don’t try to follow this link or copy it into your browser. The domain was registered two days ago, and the IP address of the server is in Russia. The domain was designed to look like it’s associated with, but in fact it has nothing to do with

The BlackHole Exploit Kit

The malicious server uses the BlackHole exploit kit to download malware to the victim’s computer. This exploit kit used to sell for $1,500 but was recently made available for free. Its first version appeared on the black market in August 2010. It is based on PHP and has a MySQL database. BlackHole has infected thousands of websites, exploiting vulnerabilities on visitors’ computers in order to place malware on them. This attack is also known as a drive-by download.

This specific malicious website uses BlackHole to download the notorious Zeus 2 malware to the victim’s computer. Zeus is a well-known and highly sophisticated piece of malware. Many mistakenly think that Zeus is only associated with financial fraud; however, we’ve recently seen evidence of Zeus targeting enterprise networks in order to steal proprietary information and gain unauthorized access to sensitive systems.

Enterprise users who click this link risk infecting their computers with Zeus, allowing cyber criminals to access their workstation and, from there, access sensitive corporate information and data. The attack becomes even more dangerous when Zeus infects workstations and laptops that are outside the enterprise network but are used to access the enterprise through VPNs.

Once installed, this variant of Zeus sends the information it steals to the following server in China: hxxp:// (IP address:

Download Free e-Book: Stopping Zero-Day Exploits For Dummies

Just How Dangerous Is This Attack?

How likely are users to click this link and access this malicious server? A survey we conducted several months ago shows that 68 percent of enterprise users who receive a LinkedIn spam message are likely to click on it and inadvertently download malware.

We are in the habit of clicking on links from social networks. They send us updates with calls to action on a daily basis and encourage us to follow links that increase the usage of their websites. Many users automatically click on such links without verifying their authenticity, an extremely dangerous practice. The LinkedIn spam is even more dangerous; LinkedIn integrates the action link into a button, which makes it even harder to retrieve and verify.

Recent attacks against RSA, Epsilon, Sony, Google, Oak Ridge National Laboratory and many other enterprises demonstrate the vulnerability of endpoints against targeted malware attacks. Cyber criminals are putting a great deal of effort into these attacks and are unfortunately finding success.

Only two out of 42 anti-malware solutions detect this variant at the moment; most of the leading anti-malware solutions do not detect it. This demonstrates how easy it is for malware authors to create variants that completely fly under the radar of anti-malware solutions. The critical time for this attack was the last couple of days, when there was close to zero protection from anti-malware solutions. Tomorrow’s detection rates are irrelevant; by then, there will be some other variant attacking enterprises.


For Individuals Never click on email links from social networking websites. We even recommend leaving the emails unopened. Access your social networks by typing their addresses into your browser. Log in to your account and read your messages directly from your profile’s inbox.

For Enterprises: Your employees’ endpoints are highly targeted by cyber criminals. Unmanaged employee devices are the biggest security threat, but endpoint devices within the network are also a concern. The fact that you have a leading anti-malware solution installed on your endpoints doesn’t mean you’re immune to these attacks, which often use zero-day vulnerabilities and zero-day malware variants to bypass anti-malware solutions. Enterprises should complement their endpoint security with a zero-day data-protection solution.

More from Malware

Hive0051’s large scale malicious operations enabled by synchronized multi-channel DNS fluxing

12 min read - For the last year and a half, IBM X-Force has actively monitored the evolution of Hive0051’s malware capabilities. This Russian threat actor has accelerated its development efforts to support expanding operations since the onset of the Ukraine conflict. Recent analysis identified three key changes to capabilities: an improved multi-channel approach to DNS fluxing, obfuscated multi-stage scripts, and the use of fileless PowerShell variants of the Gamma malware. As of October 2023, IBM X-Force has also observed a significant increase in…

New Hive0117 phishing campaign imitates conscription summons to deliver DarkWatchman malware

8 min read - IBM X-Force uncovered a new phishing campaign likely conducted by Hive0117 delivering the fileless malware DarkWatchman, directed at individuals associated with major energy, finance, transport, and software security industries based in Russia, Kazakhstan, Latvia, and Estonia. DarkWatchman malware is capable of keylogging, collecting system information, and deploying secondary payloads. Imitating official correspondence from the Russian government in phishing emails aligns with previous Hive0117 campaigns delivering DarkWatchman malware, and shows a possible significant effort to induce a sense of urgency as…

ITG10 likely targeting South Korean entities of interest to the Democratic People’s Republic of Korea (DPRK)

7 min read - In late April 2023, IBM Security X-Force uncovered documents that are most likely part of a phishing campaign mimicking credible senders, orchestrated by a group X-Force refers to as ITG10, and aimed at delivering RokRAT malware, similar to what has been observed by others. ITG10's tactics, techniques and procedures (TTPs) overlap with APT37 and ScarCruft. The initial delivery method is conducted via a LNK file, which drops two Windows shortcut files containing obfuscated PowerShell scripts in charge of downloading a…

Ransomware renaissance 2023: The definitive guide to stay safer

2 min read - Ransomware is experiencing a renaissance in 2023, with some cybersecurity firms reporting over 400 attacks in the month of March alone. And it shouldn’t be a surprise: the 2023 X-Force Threat Intelligence Index found backdoor deployments — malware providing remote access — as the top attacker action in 2022, and aptly predicted 2022’s backdoor failures would become 2023’s ransomware crisis. Compounding the problem is the industrialization of the cybercrime ecosystem, enabling adversaries to complete more attacks, faster. Over the last…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today