Fake Join my network on LinkedIn email scam has links to BlackHole Exploit Kit
For the past few days I have been receiving email scams claiming to come from LinkedIn, some of which are password reset scams, with the latest being an invitation to join somebody's LinkedIn network. Both are scams, with links leading directly to a compromised website that is hosting the BlackHole Exploit Kit.
Let's take a look at the most recent LinkedIn scam: "Join my network on LinkedIn"
The email Subject is: Join my network on LinkedIn.
The (spoofed) From (sender) address is: [email protected].
The Reply_to address is spoofed as: [email protected]
The first Received from line, from the final mail server is:
Received: from [182.182.16.190] (port=1664) - which is definitely not LinkedIn.com. Further details reveal that the message was sent from mail.bucklerboots.com, not LinkedIn.com.
The message body is loaded with images drawn from LinkedIn and text containing the following come-on:
"Mimi Kauffman has indicated you are a Friend ... I'd like to add you to my professional network on LinkedIn.- Mimi Kauffman ... View invitation from Mimi Kauffman (has payload link) ... WHY MIGHT CONNECTING WITH Mimi Kauffman BE A GOOD IDEA? Mimi Kauffman's connections could be useful to you After accepting Mimi Kauffman's invitation, check Mimi Kauffman's connections to see who else you may know and who you might want an introduction to. Building these connections can create opportunities in the future."
My apologies to Mimi Kauffman, whoever you are. Contrary to the claim in the message, we are NOT friends and do not know each other. Spammers are using your harvested name in scams, just like they might be using mine or anybody else's. It is a tactic used to gain trust; a con game; "a Joe Job."
The text is much like what a LinkedIn member would receive in a legitimate request. Spammers join LinkedIn so they can gather templates from actual email messages, for use in scam campaigns. Then, they substitute their own poisoned links for LinkedIn links, to drive victims to booby-trapped websites.
The hostile links
I noted in the quoted section that the words "View invitation from Mimi Kauffman" were wrapped in a link. If this had been an actual LinkedIn email, the link would have started with http://www.linkedin.com/... However, this link and the others that followed it go to a compromised WordPress website, at h**p://www.nabytok.ws/wp-content/themes/esp/page9.htm. The file named page9.htm contains the BlackHole Exploit code, which targets Java and Flash (and sometimes Adobe Reader and certain brands and versions of browsers), looking for an unpatched version of that software on a victim's computer.
If the victim's computer does have a vulnerable version of Java, which is the first item attacked, the BlackHole will attempt to silently install a Trojan downloader. If successful, the next step is to install a rootkit, then to download additional malware, which might include banking Trojans, like ZeuS, or fake security programs, or spyware. In all cases, the package includes a botnet module, so that the computer can be used to host exploits, send spam, or join in DDoS attacks on other systems.
Note, it is possible to use code to try to load an out-dated version of Java from its default installation path. Even legitimate programs have been known to do this, to use special features present in certain versions of this highly exploited software. In the past, one had to manually uninstall out-dated versions of Java. Now, the installation of a new version will remove older versions, back to a certain point. Windows users need to go to Control Panel > Add/Remove) Programs (and Features), and see if they A: have Java installed at all - and B: if more than one version is listed. If it is installed and older versions are also listed, uninstall all but the most recent version, for your own safety. Then visit www.java.com and see if your remaining version is the most recent one available for your operating system or device. If not, update it immediately and if necessary, manually remove the previous version.
If you don't know of any programs you use, or websites you always visit which run Java Applets you deem important, just uninstall Java altogether and eliminate that attack vector. You probably won't even miss it.
Note: Java is not the same as JavaScript. They are completely different things.
LinkedIn users are just one of many specifically groups of people targeted in recent spam blasts. LinkedIn is a major social network, like Facebook and Twitter, so cyber-criminals frequently attempt to violate the trust some members have with those networks. Further, LinkedIn members tend to be professionals in their fields, making them a juicier target for cyber-thieves.
My advice to LinkedIn members and everybody else reading this is to always hover over links in emails before clicking on them. This will usually cause the actual destination URL to be displayed in a "Status bar" on the bottom of your browser (for Webmail) or email client. If the link displayed is not going to the domain indicated in the text or graphics in the message, assume it is hostile, meant to infect your computer and force it into a malware botnet.
If you like this article please share it.
The content on this blog may be reprinted provided you do not modify the content and that you give credit to Wizcrafts and provide a link back to the blog home page, or individual blog articles you wish to reprint. Commercial use, or derivative work requires written permission from the author.