Beware of messages in LinkedIn.
Early on the morning of August 23 the spam monitors at Barracuda Labs started detecting a large number of emails claiming to be from LinkedIn. The quantities were significant, tens of thousands an hour, and these were pretty convincing messages…
Most of these sorts of spam attacks simply link to a malware file which the browser then downloads and offers to run. If an antivirus doesn’t intercept such a file then Windows will ask for permission to run it and it is easy enough to say no.
But this attack is different and much more serious. Each of the malicious domains such as linkedin-reports.com or linkedin-alert.com hosts an exploit kit, a set of malicious payloads that quietly attempt to take advantage of weaknesses in the Web browser and its helper applications.
Clicking on the “follow this link” hyperlink in the message doesn’t appear to have any effect. Nothing seems to happen; however there is a lot going on behind the scenes.
Below is what the behind-the-scenes network traffic looked like.
…As convincing as they may be these emails have nothing to do with LinkedIn. The from address is fake and the “Follow this link” hyperlink leads to one of a set of recently registered domains deliberately set up to serve malicious content….
This traffic capture shows a series of attacks against Internet Explorer (1), against the Adobe PDF reader plug-in (2) and finally against Windows Media Player (3). Eventually these exploits result in the download of Trojan.Jorik (4).
Trojan.Jorik is a password stealer which gets right to work, periodically checking in with its command and control server (5).
After contacting the control server the Trojan contacts another server (6) for an interesting – and somewhat scary – configuration file…
Barracuda Networks customers using the Barracuda Spam & Virus Firewall are protected from these emails.
You must be logged in to post a comment.