back to article LinkedIn Zeus spam run targets prospective business marks

Cybercrooks on Tuesday targeted users of the LinkedIn social network with a spam attack aimed at infecting victims with the infamous Zeus Trojan. Prospective marks were emailed an alert link that posed as a social media contact request but actually sent victims to a malware-loaded site that attempted to infect users via a …


This topic is closed for new posts.
  1. Number6


    I did notice rather a lot of LinkedIn email in my spam folder. It's a bit of a giveaway when there are a load of identical-looking messages to various email address I use, but none to the one I've actually got registered with LinkedIn.

  2. Reinhard Schu

    Drive by Download?

    Are these "drive-by-dowload" attacks based on the user having admin privileges (as is common in MS Windows)? Or would they also work for non-privileged users (under both Windows and Linux)?

  3. DJV Silver badge

    I've seen 2 or 3...

    But immediately saw they were fake when I noticed that what they linked to wasn't linkedin (I use MailWasher which previews emails and shows the link and then what that link really links to).

  4. Anonymous Coward
    Anonymous Coward

    Funny that

    Never heard of them before and now suddenly everyone does because of the spam? Great marketing people, well done.

  5. Kevin 6

    Minor correction

    "Cybercrooks on Tuesday targeted users of the LinkedIn social network with a spam attack "

    should be(or something similar): Cybercrooks on Tuesday targeted random e-mail accounts with a spam message that tries to pass off as an official message related to the LinkedIn social network.

    I only say this because I have no account on linkedin(never will too along with all other web 2.0 sites) and have roughly 4-500 of these sitting in my spam virus folder in my e-mail client for one of my e-mail addresses. So its not just targeting linkedin users but anyone at random. And I'm sure some who do not have linkedin accounts will still click on it and install the malware.

  6. Shannon Jacobs

    LinkedIn deserves it, but NOT the spammers

    I got a copy of this one. Extremely professionally done and routed into my company's email system in an extremely impressive way. I sort of admire the craftsmanship, but not the pure evil behind it.

    Since it was so well done, I made special efforts to call it to the attention of LinkedIn so they could defend their reputation and even their users. At a minimum, they might want to make sure the spammer's website is quickly nuked, but even better if they aggressively pursue the spammer's abuse of their supposedly valuable reputation. I routed the reports to two channels. There were robotic ACKs for the submissions, which is fine, but they were soon followed by identical robotic responses that apparently had to wait for an actual human to push a button. As far as defense of reputation goes, the spammers win again. However, I already had a rather low opinion of LinkedIn, so I suppose it doesn't matter that much to me.

    Still, I'd like to see someone offer a REAL tool against the spammers. Sort of like a crowd-based vigilante-powered system. I'm thinking of something like SpamCop on steroids, with more iterations and more complaint channels, including channels for companies that actually care about and want to defend their corporate reputations--unlike LinkedIn.

    I want to become a spam fighter first class. How about you? And how would you feel about ANY company that was really putting a dent in the spammers' heads? Wouldn't you want to use that company's websites and email system? (I'd even say "Are you listening, Gmail?", except that Google is too busy becoming evil to listen to anyone these days.)

    1. Anonymous Coward

      Delinquent ISPs

      I am a first class spam fighter and have been for a decade.

      I am a small web/mail hosting provider - I have written many defence systems and is now as comprehensive as it is possible to be without throwing out the baby with the bathwater.

      My system is almost fully automatic now - last few *years* worth of sendmail logs are stored in a mysql database and a history of 1.1 million ip addresses.

      Attempts to send mail and other abuses by zombies are tracked and logged. If it violates some rules, spf failures, rbls, mail attacks, no reverse lookup etc, then the ip address is banned using iptables for 10 days times the number of bans, added to an RBL and a munged history log of the addresses activity is sent to the ISP that owns the netblock. If no abuse address is given, then all available addresses are mailed after checking a local learned blacklist of bad or delinquent ISPs. If they don't want my reports, I can't force them to accept them.

      I have similar monitoriing and complaint systems with various rules for ftp, ssh, pop3 and web brute force attempts and probes.

      Any messages that are accepted go through a lot of spam checks - high scoring spam gets quarantined and automatically fed into spamassassin's Bayesian filters, added to my RBL and sent to Spamcop. Unfortunately confirming these is still manual on their site.

      Borderline scoring spam gets quarantined and goes to a special mail account for submitting to spamcop or unquarantining - manual I'm afraid, but there are very few false positives.

      I send hundreds of complaints a day.

      There appear to be no laws anywhere that force an ISP to look after their customers.

      There appear to be no laws anywhere that force an ISP to halt abuse from their networks.

      There is no way to fix users that are too stupid to realise they are too stupid to use the net.

      Educating users is proving impossible. Even patching all known vulnerabilities and up to date virus scanners won't stop people from installing trojan software. Most spam is nowadays coming from Russia, Vietnam, South America, Ukraine, Belarus, Korea, Taiwan and increasingly Africa where many just aren't aware of the dangers, and most people use pirated and hence unpatched Windows XP.

      Outlook does not show the real country of origin of a mail, which would help users think twice.

      The linked-in mails were expertly put together, only the mail header and the false url gave them away, and even then had to look hard as the Received: field was forged to look as if linked-in had handled it first.

      Not enough people use SPF and DKIM and use -all or enforce dkim discardable policies.

      Even paypal doesn't use -all, but this still only useful if the receiver pays attention to SPF/DKIM and mail forwarding or mailing lists can break these.

      The only way to influence an ISP is to hit their bottom line - if customers can realise their ISP is being blocked by not fixing zombies and admonishing hackers then they could go elsewhere, but many places don't have alternative ISPs.

      Google, Yahoo, MSN, Badoo, Akamai, et al are too chicken to blanket block delinquent ISPs because they need the clicks.

      95% of reports fall on deaf ears.

      However, I do have some successes in bringing compromised machines to an owners' attention and that makes it worthwhile.

      Now, if I could just put my Heath Robinson system into a form that could be distributed for others to use, then we can overload ISPs abuse mailboxes and blacklist them more effectively and hopefully get more response, but this would just escalate the war. The big players need to do more to influence behaviour.

  7. Danny 14


    Since they all used the same forged "from" address I crudely added it to the exchange recipient filter, sorted that until people complain (if anyone actually uses linkedin) by that time I will have forgotten what I did...

This topic is closed for new posts.

Other stories you might like