Spam in fake LinkedIn messages


MX Lab, http://www.mxlab.eu, has noticed a large spam campaign on behalf of the Canadian Family Pharmacy in fake LinkedIn messages.

The messages come the spoofed email address <member@linkedin.com> with the authors like:

Fenella  Macdonald via LinkedIn <member@linkedin.com>
Catriona  Bailey via LinkedIn <member@linkedin.com>
Susan  Jones via LinkedIn <member@linkedin.com>
....

Subjects in use:

Can i place your photo on my site?
Can i place your photo on our facebook page?
Can i place your information on our web page?
Can i place your video on our web site?
Can i place your video on my facebook page?
Can i place your contacts on our twitter page?
…..

Example of the email:

The URL in the message point to different web hosts and pages with an redirect HTML:

<html><head><title>Buy Viagra Online – Online Pharmacy</title><style type=”text/css”> a { font-size: 24pt; } </style><script type=”text/javascript”>var a = “hxxp://viagralevitratestosterone.com”;window.location = a;</script></head><body><center><h1>#1 Online Pharmacy</h1><br>Online DrugStore<br><a href=”hxxp://viagralevitratestosterone.com”>Buy Viagra Online</a></center></body></html>

In return, the redirect points to hxxp://viagralevitratestosterone.com.

Emails with subject “So now you’re on LinkedIn: What’s next?″ lead to malware


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “So now you’re on LinkedIn: What’s next?”. This campaign is a follow up of the the LinkedIn Messages, 9/30/2010 campaign that we reported yesterday. The malware is not changed in any way.

The email is send from the spoofed address “LinkedIn <linkedin@em.linkedin.com>”, email headers are forged and the message has the following body with complete LinkedIn branding:

The message is very similar to the LinkedIn Alert email threat we have seen a few days ago but has now some other approach to distribute the malware after clicking a link in the message.

All the URL redirect the visitor to a web site and then redirects them immediatly to hxxp://hatcher.com.au/1.html. When the webpage is loaded you will get an image to see to install the Adobe Flash Player. The file flash_player_07.78.exe is offered to be downloaded.

The trojan is known as Trojan-Spy.Win32.Zbot.aptt (Kaspersky), Win32/Spy.Zbot.ZR (NOD32), Trojan.Zbot (PCTools), Trojan.Generic.KD.44402 (F-Secure).

The following files will be created:

%AppData%\Yguze\ubce.exe
%AppData%\Ywimuq\ipafe.tiy
%AppData%\Ywimuq\ipafe.tmp
%Temp%\tmp0e1f500d.bat

The following directories are created:

%AppData%\Yguze
%AppData%\Ywimuq

A new process is created:

ubce.exe

Several Windows registry changes will be exectued and the trojan will establish a connection with the host ohmaebahsh.ru on port 80 and perform a GET request for bin/koethood.bin.

Virus Total permlink and MD5: b77b6eac5d9e9d088b400652405c4b19.

MX Lab group on LinkedIn


“Join the corporate group of MX Lab, provider of email security services like zero hour anti virus, managed anti spam and email archiving solutions. This group is open to everyone who is involved or interested in email security.”

Join the MX Lab group on LinkedIn.

WordPress comments lead to fake profiles on LinkedIn


Although it has nothing to do with real spam, it caught my attention when managing the MX Lab blog. When reading some comments I noticed that the provided URL was leading to a LinkedIn profile. Some examples below.

New comment on your post #125 “Email pollution and spam to think about”
Author : Heartburn Home Remedy (IP: 92.112.90.181 , 181-90-112-92.pool.ukrtel.net)
E-mail : vin45ce45622@gmail.com
URL    : http://www.linkedin.com/in/heartburnhomeremedy
Whois  : http://ws.arin.net/cgi-bin/whois.pl?queryinput=92.112.90.181
Comment: 

I read your blog for quite a long time and must tell   that your posts are always valuable to readers.

And this one

New comment on your post #230 “Nice Citibank phishing attempt example”
Author : How to Get Six Pack Fast (IP: 92.112.81.15 , 15-81-112-92.pool.ukrtel.net)
E-mail : vincedel422@gmail.com
URL    : http://www.linkedin.com/in/howtogetasixpackfast
Whois  : http://ws.arin.net/cgi-bin/whois.pl?queryinput=92.112.81.15
Comment: 

After reading   this article, I just feel that I   need more info. Can you suggest some   resources  ?

When visiting the URL it leads us to the fake LinkedIn profile.

Notice the three web site links in the profile. They lead to http://bit.ly which is a URL shortener & tracking service.

Following sites appear when visiting some links, obviously very commercial.

Be carefull when using or visiting sites that are being promoted through a URL shortening and tracking service. Because of the fact that the URL is so short and no details are visible about the real URL, it is possible that you could end up visiting sites that host malware or are phishing sites. It’s a very common technique to lure the surfer.

Follow

Get every new post delivered to your Inbox.

Join 346 other followers