10,000 LinkedIn users targeted in spear phishing attack

Powered by SC Magazine

A LinkedIn "spear phishing" email scam loaded malicious software to steal usernames and passwords.

Ten thousand users of LinkedIn, a social networking site for professionals, were recently targeted in a “spear phishing” email scam trying to lure them into downloading a malicious software attachment.

In a blog post Wednesday, Brian Krebs of the Washington Post, who first reported the story, said recipients of the email were addressed by name, aiding in the authenticity of the email. 

What sets spear phishing attacks apart from traditional malware attacks is that the sender includes information about the intended target in hopes of lending even more legitimacy to the email, David Marcus, director of security research and communications for McAfee Avert Labs, told SCMagazineUS.com Thursday.

The message was sent from the domain “support[at]linkedin[dot]com” with a subject line of “Re: business contact.” 

The email read: “We managed to export the list of business contacts you have asked for.”  The message then directed the recipient to open an attachment that was supposedly a list of business contacts that the user requested. In reality, it loaded malicious software to steal data such as usernames and passwords from the victim's computer.

According to Marcus, the success rate of spear phishing attacks is significantly higher than traditional malicious attacks. Most people have received some sort of spam or phish message reading, “Dear banking customer” and deleted it. But not many people have gotten an email specifically addressed to them, he said.

“The likelihood that you're going to think its real is certainly going to go up,” Marcus said.

To pull off an attack like this, fraudsters must already have obtained a certain amount of information about their targets, Marcus said.

Generally, an attacker would have acquired a database of information with names, email addresses and other identifying information either through a previous hack or having bought the information from cybercrime markets, he said.

The attacker would use that information to craft a legitimate looking email directed to their target.

“It's certainly troubling that the person who instigated the attack had 10,000 people's pieces of information,” Marcus said.

Attackers are targeting the users of social networking sites such as LinkedIn because members are used to receiving emails from the site.

Marcus recommended that if users receive the phishing scam, they should monitor their bank and credit statements because it means that someone already has some information about him or her.

Krista Canfield, spokeswoman for LinkedIn, told SCMagazineUS.com Thursday that the emails were not sent by LinkedIn.

"LinkedIn never advocates that its users be 'open networkers,'" Cranfield said in an email. "In fact it can be downright dangerous. We always advocate that our users keep their network tightly knit. Users should only connect to people that they know and trust or people that they have actually met and worked with before."

See original article on scmagazineus.com

Copyright © SC Magazine, US edition

10,000 LinkedIn users targeted in spear phishing attack
Top Stories
First look: Microsoft Outlook for iOS
[Update] Office productivity suite for iOS completed with Outlook.
NewSat defaults on $26m in overdue Lockheed payments
Jabiru-1 satellite build hits further hurdles.
IBM denies plans to cut 112k jobs
But admits to further restructuring.
Sign up to receive iTnews email bulletins
Latest Comments
Who do you trust most to protect your private data?

   |   View results
Your bank
Your insurance company
A technology company (Google, Facebook et al)
Your telco, ISP or utility
A retailer (Coles, Woolworths et al)
A Federal Government agency (ATO, Centrelink etc)
An Australian law enforcement agency (AFP, ASIO et al)
A State Government agency (Health dept, etc)

Do you support the abolition of the Office of the Information Commissioner?

   |   View results
I support shutting down the OAIC.
I DON'T support shutting the OAIC.