Email spam campaign targets LinkedIn users

A significant email spam campaign was detected this week that targeted the LinkedIn social media community.

Targets were emailed an alert link with a fictitious social media contact request and after clicking the link, victims were taken to a web page that said ‘please waiting .... 4 seconds', which redirected them to the Google homepage.

According to Cisco, during those four seconds, the victim's PC was infected with the Zeus data theft malware by a drive-by download. It detected that within a 15-minute interval these messages accounted for as much as 24 per cent of all spam sent.

Cisco advised organisations to encourage individuals to delete such requests, especially if they do not know the name of the contact and suggests that the criminals behind this attack are most interested in employees with access to financial systems and online commercial bank accounts.

This is the second spam attack this month of this magnitude, preceded by the 'Here You Have' email worm a few weeks ago. Cisco expects to see more spam messages containing malware sent to organisations to collect personal information.

Henry Stern, senior security researcher at Cisco IronPort Systems, said: “This is not the first time that criminals have subverted brands associated with online social media. The criminals controlling the Cutwail botnet routinely send email messages impersonating major social networks and governmental organisations.

“What makes this attack unique is the combination of the extremely high volume of messages transmitted, the focus on business users and the use of the Zeus data-theft malware. This strongly suggests that the criminals behind this attack are most interested in employees with access to financial systems and online commercial bank accounts.”

The ‘here you have' threat saw a mass-mailing worm arrive via email, which contained a link that directed to a malicious program and emails containing HTML attachment spam messages.

Dave Michmerhuizen, security researcher at Barracuda Labs, warned that it had seen an enormous increase of spam containing malicious HTML attachments.

He said: “For years computer professionals have been telling email users to be particularly careful with emails from sources they do not recognise and to even be careful with unusual looking email from sources that they do trust.

“Users have been warned of the potential dangers associated with clicking on a file or link that arrives in an email. Many people assume that an HTML file is just a web page and that web pages are safe.”

He said that a campaign began on 16 September with spam tied to current Google trending topics that evolved slightly over the following days, with the subject lines changing from trend topics to more nonspecific email subjects that one might receive from a business associate.

He said: “The attachments include 100 per cent obfuscated JavaScript – JavaScript deliberately made confusing to read or scan in order to make it harder for anti-virus products to identify it.

“When opened in a browser window, this JavaScript sends the browser to a variety of destinations depending on the spam flavour of the moment. In some instances, that is fake pharmacy sites, which are harmless, while in others, it may be fake codec sites, which are harmless as long as the fake codec is not downloaded, while some instances lead to fake anti-virus sites, which can carry a variety of problems.

“What makes this a real problem is that although the fake anti-virus site can be defeated by simply terminating the browser, the backdoor has already quietly been installed. After several days, the spammers then shifted gears and started embedding the malicious JavaScript directly in otherwise innocent looking HTML files.

“So yes, a seemingly innocent HTML email attachment can do plenty of damage, and while quite stealthy, definitely not harmless.”

See original article on scmagazineus.com