LinkedIn has more than 90 million members, half of whom are located in the United States. The social network’s membership includes executives from every company listed on the 2010 Fortune 500, which makes it an ideal platform for cyber attacks. Through LinkedIn, cyber criminals can locate key people within an enterprise and target them with spam emails that place malware on their computer or steal their login credentials for email and other sensitive systems.

Sound unlikely? Well, think again.

LinkedIn Spam Targets Unwitting Users

The security team at IBM recently witnessed a malware campaign that targets LinkedIn users. It starts with a simple connect request sent to the victim’s inbox. Here is a screen capture of the email:

For comparison, this is what a real LinkedIn invitation looks like:

As you can see, they are pretty much identical. If you click the “Confirm that you know…” link on the genuine email, it takes you to LinkedIn’s website. If the same button is clicked on the fraudulent email, it takes you to a malicious website that downloads malware onto your computer.

The fraudulent website is hxxp:// (“http” was replaced with “hxxp” to avoid confusion). To avoid getting infected, don’t try to follow this link or copy it into your browser. The domain was registered two days ago, and the IP address of the server is in Russia. The domain was designed to look like it’s associated with, but in fact it has nothing to do with

The BlackHole Exploit Kit

The malicious server uses the BlackHole exploit kit to download malware to the victim’s computer. This exploit kit used to sell for $1,500 but was recently made available for free. Its first version appeared on the black market in August 2010. It is based on PHP and has a MySQL database. BlackHole has infected thousands of websites, exploiting vulnerabilities on visitors’ computers in order to place malware on them. This attack is also known as a drive-by download.

This specific malicious website uses BlackHole to download the notorious Zeus 2 malware to the victim’s computer. Zeus is a well-known and highly sophisticated piece of malware. Many mistakenly think that Zeus is only associated with financial fraud; however, we’ve recently seen evidence of Zeus targeting enterprise networks in order to steal proprietary information and gain unauthorized access to sensitive systems.

Enterprise users who click this link risk infecting their computers with Zeus, allowing cyber criminals to access their workstation and, from there, access sensitive corporate information and data. The attack becomes even more dangerous when Zeus infects workstations and laptops that are outside the enterprise network but are used to access the enterprise through VPNs.

Once installed, this variant of Zeus sends the information it steals to the following server in China: hxxp:// (IP address:

Download Free e-Book: Stopping Zero-Day Exploits For Dummies

Just How Dangerous Is This Attack?

How likely are users to click this link and access this malicious server? A survey we conducted several months ago shows that 68 percent of enterprise users who receive a LinkedIn spam message are likely to click on it and inadvertently download malware.

We are in the habit of clicking on links from social networks. They send us updates with calls to action on a daily basis and encourage us to follow links that increase the usage of their websites. Many users automatically click on such links without verifying their authenticity, an extremely dangerous practice. The LinkedIn spam is even more dangerous; LinkedIn integrates the action link into a button, which makes it even harder to retrieve and verify.

Recent attacks against RSA, Epsilon, Sony, Google, Oak Ridge National Laboratory and many other enterprises demonstrate the vulnerability of endpoints against targeted malware attacks. Cyber criminals are putting a great deal of effort into these attacks and are unfortunately finding success.

Only two out of 42 anti-malware solutions detect this variant at the moment; most of the leading anti-malware solutions do not detect it. This demonstrates how easy it is for malware authors to create variants that completely fly under the radar of anti-malware solutions. The critical time for this attack was the last couple of days, when there was close to zero protection from anti-malware solutions. Tomorrow’s detection rates are irrelevant; by then, there will be some other variant attacking enterprises.


For Individuals Never click on email links from social networking websites. We even recommend leaving the emails unopened. Access your social networks by typing their addresses into your browser. Log in to your account and read your messages directly from your profile’s inbox.

For Enterprises: Your employees’ endpoints are highly targeted by cyber criminals. Unmanaged employee devices are the biggest security threat, but endpoint devices within the network are also a concern. The fact that you have a leading anti-malware solution installed on your endpoints doesn’t mean you’re immune to these attacks, which often use zero-day vulnerabilities and zero-day malware variants to bypass anti-malware solutions. Enterprises should complement their endpoint security with a zero-day data-protection solution.

More from Malware

Ongoing ITG05 operations leverage evolving malware arsenal in global campaigns

13 min read - As of March 2024, X-Force is tracking multiple ongoing ITG05 phishing campaigns featuring lure documents crafted to imitate authentic documents of government and non-governmental organizations (NGOs) in Europe, the South Caucasus, Central Asia, and North and South America. The uncovered lures include a mixture of internal and publicly available documents, as well as possible actor-generated documents associated with finance, critical infrastructure, executive engagements, cyber security, maritime security, healthcare, business, and defense industrial production. Beginning in November 2023, X-Force observed ITG05…

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Hive0051’s large scale malicious operations enabled by synchronized multi-channel DNS fluxing

12 min read - For the last year and a half, IBM X-Force has actively monitored the evolution of Hive0051’s malware capabilities. This Russian threat actor has accelerated its development efforts to support expanding operations since the onset of the Ukraine conflict. Recent analysis identified three key changes to capabilities: an improved multi-channel approach to DNS fluxing, obfuscated multi-stage scripts, and the use of fileless PowerShell variants of the Gamma malware. As of October 2023, IBM X-Force has also observed a significant increase in…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today