Fake LinkedIn e-mails lead to Zeus Trojan

Cisco reports that billions of fake LinkedIn e-mails included links that could have installed data-stealing malware on computers if clicked on.

This is what the fake LinkedIn e-mails looked like.
This is what the fake LinkedIn e-mails looked like. Cisco Systems

Criminals are using bogus LinkedIn invite e-mails to trick people into clicking on links that lead to the Zeus data-stealing Trojan, a researcher warned today. The malware targets Windows users.

Researchers saw tens of billions of messages related to the attack yesterday, Henry Stern, a senior security researcher at Cisco Systems, told CNET. "There have been some bursts today, but nothing like yesterday," he said. "The botnet responsible for this is still in operation and it's just doing something else right now."

While this attack appears to be abating, people should be wary of any new campaigns that use similar methods.

"This attack is particularly interesting because of its size," Stern said. "It's one of the largest viral campaigns we've seen, and one of the largest that mimics a social network."

In this attack, the e-mails looked like legitimate LinkedIn invites with a Web link for confirming a contact. However, the link doesn't lead to LinkedIn; it redirects to a Web page and displays a message saying "Please waiting .... 4 seconds" before then redirecting to Google.

Computer users are likely to shrug it off, but behind the scenes nasty things have happened. The page users are redirected to has malicious JavaScript hidden in an iFrame that detects what browser is being used and what applications are running and figures out if there is a vulnerability it can exploit to drop the Zeus malware onto the system, Stern said.

For example, Stern used a test system running an older version of Adobe Reader that has a vulnerability. The attack detected that and used an exploit for that Reader hole and installed Zeus on the machine.

Once Zeus is on the machine it can steal data by copying bank passwords and other information a user types into a Web form. It then sends the data off to a remote server.

Computer users can protect against attacks by not clicking on links in e-mails and instead typing "www.linkedin.com," for instance, into a browser. Firefox users can install the NoScript plug-in to block JavaScript.

In addition to keeping antivirus and other security software up to date, computer users should also "make sure all Web browser-related software, especially Adobe Reader, Flash, and Java, have the latest security updates," Stern said.

It can be difficult to know if a computer has been infected. "The software hides itself within another process on your PC," he said. Infected machines will begin sending communication requests to a command-and-control server based in Russia, with a host name ending in ".ru," so computers running personal firewalls can check the outbound logs for that, he added.

Cisco has more information about the attack on its blog.

This is the message that appears when the e-mail link is clicked on. The page then redirects to Google.
This is the message that appears when the e-mail link is clicked on. The page then redirects to Google. Cisco Systems
 

Join the discussion

Conversation powered by Livefyre

Show Comments Hide Comments