Fake LinkedIn e-mails lead to Zeus Trojan
Cisco reports that billions of fake LinkedIn e-mails included links that could have installed data-stealing malware on computers if clicked on.
Criminals are using bogus LinkedIn invite e-mails to trick people into clicking on links that lead to the Zeus data-stealing Trojan, a researcher warned today. The malware targets Windows users.
Researchers saw tens of billions of messages related to the attack yesterday, Henry Stern, a senior security researcher at Cisco Systems, told CNET. "There have been some bursts today, but nothing like yesterday," he said. "The botnet responsible for this is still in operation and it's just doing something else right now."
While this attack appears to be abating, people should be wary of any new campaigns that use similar methods.
"This attack is particularly interesting because of its size," Stern said. "It's one of the largest viral campaigns we've seen, and one of the largest that mimics a social network."
In this attack, the e-mails looked like legitimate LinkedIn invites with a Web link for confirming a contact. However, the link doesn't lead to LinkedIn; it redirects to a Web page and displays a message saying "Please waiting .... 4 seconds" before then redirecting to Google.
For example, Stern used a test system running an older version of Adobe Reader that has a vulnerability. The attack detected that and used an exploit for that Reader hole and installed Zeus on the machine.
Once Zeus is on the machine it can steal data by copying bank passwords and other information a user types into a Web form. It then sends the data off to a remote server.
In addition to keeping antivirus and other security software up to date, computer users should also "make sure all Web browser-related software, especially Adobe Reader, Flash, and Java, have the latest security updates," Stern said.
It can be difficult to know if a computer has been infected. "The software hides itself within another process on your PC," he said. Infected machines will begin sending communication requests to a command-and-control server based in Russia, with a host name ending in ".ru," so computers running personal firewalls can check the outbound logs for that, he added.
Cisco has more information about the attack on its blog.