LinkedIn Spam Emails Download Malware

June 2, 2011
| |
4 min read

LinkedIn has more than 90 million members, half of whom are located in the United States. The social network’s membership includes executives from every company listed on the 2010 Fortune 500, which makes it an ideal platform for cyber attacks. Through LinkedIn, cyber criminals can locate key people within an enterprise and target them with spam emails that place malware on their computer or steal their login credentials for email and other sensitive systems.

Sound unlikely? Well, think again.

LinkedIn Spam Targets Unwitting Users

The security team at IBM recently witnessed a malware campaign that targets LinkedIn users. It starts with a simple connect request sent to the victim’s inbox. Here is a screen capture of the email:

For comparison, this is what a real LinkedIn invitation looks like:

As you can see, they are pretty much identical. If you click the “Confirm that you know…” link on the genuine email, it takes you to LinkedIn’s website. If the same button is clicked on the fraudulent email, it takes you to a malicious website that downloads malware onto your computer.

The fraudulent website is hxxp://salesforceappi.com/loginapi.php?tp=1da14085e243eaf9 (“http” was replaced with “hxxp” to avoid confusion). To avoid getting infected, don’t try to follow this link or copy it into your browser. The domain salesforceappi.com was registered two days ago, and the IP address of the server is in Russia. The domain was designed to look like it’s associated with Salesforce.com, but in fact it has nothing to do with Salesforce.com.

The BlackHole Exploit Kit

The malicious server uses the BlackHole exploit kit to download malware to the victim’s computer. This exploit kit used to sell for $1,500 but was recently made available for free. Its first version appeared on the black market in August 2010. It is based on PHP and has a MySQL database. BlackHole has infected thousands of websites, exploiting vulnerabilities on visitors’ computers in order to place malware on them. This attack is also known as a drive-by download.

This specific malicious website uses BlackHole to download the notorious Zeus 2 malware to the victim’s computer. Zeus is a well-known and highly sophisticated piece of malware. Many mistakenly think that Zeus is only associated with financial fraud; however, we’ve recently seen evidence of Zeus targeting enterprise networks in order to steal proprietary information and gain unauthorized access to sensitive systems.

Enterprise users who click this link risk infecting their computers with Zeus, allowing cyber criminals to access their workstation and, from there, access sensitive corporate information and data. The attack becomes even more dangerous when Zeus infects workstations and laptops that are outside the enterprise network but are used to access the enterprise through VPNs.

Once installed, this variant of Zeus sends the information it steals to the following server in China: hxxp://xwhoisdns.com/msofficepsdx.php (IP address: 122.224.18.36).

Download Free e-Book: Stopping Zero-Day Exploits For Dummies

Just How Dangerous Is This Attack?

How likely are users to click this link and access this malicious server? A survey we conducted several months ago shows that 68 percent of enterprise users who receive a LinkedIn spam message are likely to click on it and inadvertently download malware.

We are in the habit of clicking on links from social networks. They send us updates with calls to action on a daily basis and encourage us to follow links that increase the usage of their websites. Many users automatically click on such links without verifying their authenticity, an extremely dangerous practice. The LinkedIn spam is even more dangerous; LinkedIn integrates the action link into a button, which makes it even harder to retrieve and verify.

Recent attacks against RSA, Epsilon, Sony, Google, Oak Ridge National Laboratory and many other enterprises demonstrate the vulnerability of endpoints against targeted malware attacks. Cyber criminals are putting a great deal of effort into these attacks and are unfortunately finding success.

Only two out of 42 anti-malware solutions detect this variant at the moment; most of the leading anti-malware solutions do not detect it. This demonstrates how easy it is for malware authors to create variants that completely fly under the radar of anti-malware solutions. The critical time for this attack was the last couple of days, when there was close to zero protection from anti-malware solutions. Tomorrow’s detection rates are irrelevant; by then, there will be some other variant attacking enterprises.

Recommendations

For Individuals Never click on email links from social networking websites. We even recommend leaving the emails unopened. Access your social networks by typing their addresses into your browser. Log in to your account and read your messages directly from your profile’s inbox.

For Enterprises: Your employees’ endpoints are highly targeted by cyber criminals. Unmanaged employee devices are the biggest security threat, but endpoint devices within the network are also a concern. The fact that you have a leading anti-malware solution installed on your endpoints doesn’t mean you’re immune to these attacks, which often use zero-day vulnerabilities and zero-day malware variants to bypass anti-malware solutions. Enterprises should complement their endpoint security with a zero-day data-protection solution.

Mickey Boodaei
Founder, Trusteer, an IBM company

Mickey Boodaei co-founded Trusteer in 2006 and served as Chief Executive Officer until December 2013. Mickey previously co-founded Imperva Inc., in 2000, whe...
read more