Blog

Low Volume Under-the-radar Malicious LinkedIn Spam

10.12.2008 - 12:33 PM

SEARCH BLOG

Subscribe to this feed »

Last week here in the labs, we started to receive a small amount of email that caught my eye. Our Threatseeker network saw less than 40 of these messages on the same day. This number of messages was tiny, but there is a good reason for malware authors to send so few messages: it keeps their efforts under the radar, which may help them succeed in their ultimate goal.

The social engineering aspects of these messages are interesting. At first glance, the messages are almost believable. They are spoofed to look as though they came in from the LinkedIn support team. LinkedIn is another Web 2.0 site whose name is being used to try to gain the trust of the email recipient.

The screenshot below shows that the message looks as though it's a reply from LinkedIn support to a desperate user's request to import their contacts from LinkedIn.

The highlighted portions of the message raised red flags for me. Another red flag, not visible in the screenshot, is the mailto tag for support@linkedin.com, shown at the beginning of the thread. This LinkedIn customer supposedly sent a request to support@linkedin.com, but the mailto tag shows support@ups.com. This made it obvious to me that the message had been spoofed. Apart from the grammatical mistakes typical in messages from spammers, another red flag for me was the date mismatch in the thread. Lastly, as a security researcher, I'm always suspicious of emails with attachments.

In the screenshot below, you can see how our on-premises messaging product breaks down messages and makes it possible to review the contents of .zip attachments. The contacts.zip attachment has what looks like a text document called contacts.scr. Further analysis of the file confirms that it is, in fact, a PE executable, and not a text file like the icon suggests.

This message campaign was sent to infect users with the backdoor program in the attachment. The end goal for these malware authors was probably to infiltrate a corporate network via this backdoor.

Our Threatseeker network prevented Websense Messaging customers from receiving these messages despite authors' attempts to fly below the radar. The moral of this story is to always be suspicious of emails with attachments, especially unsolicited messages, even if they look like they might be a reply to something you don't remember sending.

Security Researcher: Chris Astacio

Bookmark This Post: