Cybercriminals are currently spamvertising LinkedIn themed messages, in an attempt to trick end and corporate users into clicking on the malicious links embedded in the emails.
The campaign is using real names of LinkedIn users in an attempt to increase the authenticity of the spamvertised campaign.
More details:
Upon clicking on the malicious link, users are presented with a “Please wait page is loading…” page, whereas the malicious URL will try to exploit the “Help Center URL Validation Vulnerability” also known as CVE-2010-1885.
Sample client-side exploitation structure is as follows:
hxxp://therapower.com/jmwaWRj9/index.html
hxxp://174.133.92.122/MgGsg1Pp/js.js
hxxp://176.28.18.135:8080/showthread.php?t=73a07bcb51f4be71
hxxp://176.28.18.135:8080/content/Qai.jar
hxxp://176.28.18.135:8080/content/ap2.php?f=14095
The campaign is ultimately dropping the following malware sample: MD5: 517a86d7fe88aa53658fab1be7b7ef36. The same IP, 176.28.18.135 was also observed as a command and control served used by the following MD5: 02ce2bb3c0d58c9360bb185d6b200e03.
The cybercriminals behind the campaign are currently relying on thousands of compromised legitimate sites, in an attempt to trick web reputation filters into thinking that the payload is not malicious. Combined with the ever-decreasing price for launching a spam campaign through a botnet, the cybercriminals behind the campaign will definitely break-even from their original investment, and achieve a positive ROI (return on investment).
Webroot’s security researchers will continue monitoring the campaign, to ensure that Webroot SecureAnywhere customers are protected from this threat. Meanwhile, end and corporate users are advised to avoid interacting with the emails, to access the LinkedIn.com directly, and to ensure that they’re not running outdated versions of their third-party applications and browser plugins.
You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on Twitter.
Although my main subject is home security I was looking to expand my blog with internet security.
found some interesting posts on you blog.
Can I quot you with a link back to you article?
Thanks
Eddie
http://lblhomedefenseproducts.com/
Hi Eddie – Thanks for checking out our blog! That would be just fine. Feel free to use any of the content you find on our blog with a link back to the post you found it on.
I’ve been using LinkedIn for quite some time, and I’ve only recieved a couple messages that seemed to me to be spam, and honestly, they weren’t that bad. This is really bad what you’re talking about here. I really glad I know about this now so that I can make sure to keep an eye out for these exploits. Thanks so much for this info.
I agree with Nic, I have not seen a lot of spam coming through linkIn, but the stuff you’ve identified here is pretty clever and could be pretty damaging. Thanks for the info.