Fake LinkedIn invite leads to ZeuS Trojan

by Michael Smith (Veshengro)

London, UK, 09/29/2010: A major new malware spam campaign mimicking invites sent via business networking site LinkedIn.com leverages user trust and a multitude of browser exploits in order to install the password-stealing ZeuS Trojan.

The spam campaign began on the morning of Monday 09/27, according to security experts at networking giant Cisco Systems, and for a while the fake LinkedIn invitations, apparently, accounted for as much as 24% of all spam. Recipients who click links in the message are taken to a Web page that reads, “Please Waiting, 4 seconds,” and then sent on to Google.com.

On the way to Google, however, the victim’s browser is silently passed through a site equipped with what appears to be the SEO Exploit Pack, a commercial crimeware kit that tries to exploit more than a dozen browser vulnerabilities in an attempt to install ZeuS.

This attack will no doubt fool a large number of people. Even a reporter for IT World said that he was tricked into clicking the link and possibly infecting his system.

In addition to this it would appear that the LinkedIn emails are not the only ones. Others purport to come from Twitter stating that the recipient has x-number of unread Direct Mails. Links in the email lead to sites with the .ru ending, amongst others, and not to Twitter.com.

It’s a good idea to avoid clicking social networking site invites that arrive by e-mail, especially if you don’t recognize the name of the person who’s inviting you. Instead, consider just browsing to the social networking site and handling any invites there. Also, this attack is a good reminder that it pays to stay up-to-date on the latest security patches.

If in doubt; don't click and even then, check on the website of the service or, like I do with Twitter, where possible have a 3rd party client, in my case TweetDeck. My DMs arrive there and I do not miss one. Also, Twitter does not send out reminders of unread DMs.

LinkedIn and other email invites go and ignore and check, in your time, on the website direct. Much safer.

© 2010