Slashdot Mirror
Attack Targets LinkedIn Users With Fake Contact Requests
wiredmikey writes "On Monday morning, cybercriminals began sending massive volumes of spam email messages targeting LinkedIn users. Starting at approximately 10am GMT, users of the popular business-focused social networking site began receiving emails with a fake contact request containing a malicious link. According to Cisco Security Intelligence, these messages accounted for as much as 24% of all spam sent within a 15-minute interval today. If users click, they are taken to a web page that says 'PLEASE WAITING.... 4 SECONDS..' and then redirected to Google, appearing as if nothing has happened. During those four seconds, the site attempted to infect the victim's PC with the ZeuS Malware via a 'drive-by download' – something that requires little or no user interaction to infect a system."
Just click here: www.google.com
NoScript FTW. Seriously.
" sending massive volumes of spam email messages targeting LinkedIn users."
To paraphrase Mark Twain:
www.eFax.com are spammers
Linkedin are just a bunch of spammers anyway.
I got an email from them, claiming that someone I knew wanted me to join. It was a spammer - the "custom message" that was included was a single link to a spam site in China.
The email had a "if this is spam..." report button, so I used it, and noted to linkedin that I didn't know the person, and it was *obviously* spam (the link was to a spam site.) Their automated system thanked me for reporting the abuse, and I thought that was the end of it.
Two weeks later, I receive a "helpful reminder" from Linkedin, telling me that I hadn't confirmed or rejected the invitation. Not only had they not taken any action, they helpfully included the spam link, and seemed blissfully unaware that I had reported this spammer's account two weeks prior.
Linkedin are just a bunch of scummy spammers. I blocked all email from their domain since.
I got a spam email which looked like a LinkedIn request last week.
It was immediately obvious that it was fake because it was sent to sales@
The real "Libtards" are the Libertarians!
Why do these "drive by download" vulnerabilities exists? Web browsers should be sandboxed to disallow execution of malicious code. Clicking on a hyperlink should just not execute code that runs outside of the browser sandbox. That's jus
I don't have anything to do with LinkedIn but I got the spam as well. It's not half so targeted as this article would indicate. It's just the usual random spam. This also isn't the first time this sort of attack has used the LinkedIn name. A similar splurge happened about a month ago. There may have been one previous to that as well, I can't remember and I don't archive spam that long.
Long story short: Never blindly click on links.
LinkedIn spamming started before today, I know as we've got several from last week.
Today we started getting the netflix emails about 'lost in mail' disks for movies that haven't been requested and/or to users without netflix accounts.
Way to notice whats going on guys.
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
I get REAL contact requests from Linked In occasionally. What a pain!
http://www.acetonestudio.com
Or is another "Download gdggdsf.exe" and moronic users click on Run?
So far I've only see "drive by download" which is 100% meaningless. Would it kill them to tell us what exploit, if any is being used?
Why is it no matter how short the message involved in a scam, somehow the English is mangled? It seems like a good malware defense is simply a good understanding of the English language. Please WAITING?
I mean maybe it uses a real exploit, like say the hole in Acrobat Reader. That's been patched now but it is recent so people are probably still vulnerable. Would be nice to know what it is so we know what to look for if a user gets hit.
We had hundreds of these per day a couple of weeks back at work - somehow they got past our spam filter (perhaps LinkedIn was whitelisted), although they were obviously spam. What was odd was the fact that I've registered to LinkedIn with my @gmail address, but the spam came to @work. The part before @ is the same though.
I assume that this is a Windows only malware but as usual, no mention is made of platform.
I don't read your sig. Why are you reading mine?
The best thing to do with the pathetic state of today's web is to just disable JavaScript, disable Java applets, and disable all plugins (including Flash).
There are no sites worth visiting that require the use of JavaScript. Even Slashdot sort of falls back when JavaScript isn't available, although it does a shitty job.
Basically nobody uses Java applets these days. So you're not missing out on anything at all by disabling them.
YouTube is the only site that reasonably uses Flash. But even then, most of the content on there is total crap to begin with. Not being able to use YouTube is a small price to pay if it allows one to disable Flash completely.
Disabling all three makes the web suck a whole hell of a lot less than it typically does.
Botnets, worldwide botnets.
What kind of boxes are on on botnets?
Compaq, HP, Dell and Sony, true!
Gateway, Packard Bell, maybe even Asus, too.
Are boxes, found on botnets.
All running Windows. FOO!
Guaranteed! This comment 100% Anthrax free!
...but I don't think the have anything to do with my non-neglected linkedin account. Its just normal phishing.
What I did get yesterday was a telephone spam phishing attempt. They called told me they had detected malware from my system and tried to get me to load a remote administration tool from their web site. Take a look at the language on that site "Blue Screen To Death Error", etc. Its hilarious.
http://michaelsmith.id.au
I'm ready to execute all malware writers. Put them up against the wall and remove the problem forever. They contribute absolutely nothing of use to society.
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
Lots of sites seem to use Javascript for their menus.
And while Java applets are indeed mostly dead, Paypal uses one if you purchase postage online, which is a handy feature. Yeah, Paypal sucks and all, but I don't know any other place that lets you purchase USPS First Class postage so easily (USPS's own site only lets you buy Priority and Express, which are overpriced). (And don't mention encidia; Paypal at least doesn't require a monthly fee.)
I would think the answer if obvious. Sand, you see, is extremely small and could get everywhere inside the computer. That's why companies don't sandbox their products.
If you want sand, bring your laptop to the beach.
P.S.: Slashdot really needs a "smartass" moderation option. Like funny, wouldn't count toward the karma.
Problem solved.
I reflect your pompous signature back upon you.
I got 114 spams for Linkedin on two email accounts from the 24th 11:18 pm GMT+2 to 27th 11:50 GMT +2.... 80% of these were blocked automatically by simple rules like checking for Reverse DNS and checking if the sender IP is blacklisted.
Funny enough, all websites used in the messages point to a file 1.html - I guess they used some bots and some vulnerability of those websites to upload the html file with that particular name.
Sure, browsers can run java applets which are sandboxed. Probably why phishers don't use java.
http://michaelsmith.id.au
Changing one tilde to a dash would solve this problem for 90% or more of the phishing targets.
$ dig txt linkedin.com
;; ANSWER SECTION:
linkedin.com. 21600 IN TXT "v=spf1 ip4:70.42.142.0/24 ip4:208.111.172.0/24 ip4:64.74.220.0/24 ip4:64.74.221.0/26 ip4:64.71.153.211 ip4:64.74.221.30 ip4:69.28.149.0/24 ip4:208.111.169.128/26 ip4:64.74.98.128/26 ip4:64.74.98.16/29 mx ~all"
include $sig;
1;
I had a few each Friday and Saturday and several on Monday. The URL's of the links varied. None of them were linkedin.com.
Engage brain before clicking.
Of course because 90% of routers, firewalls and mail servers have SPF built-in into them and hardwired in a way that it is impossible to disable.
Seriously about 50% of all domains use SPF.
On my small domains with a few machines, I do publish SPF records with a "-all" (dash) record but I do not use SPF directly to filter email. I give a small weight when SPF records do not match amongst a lot of other factors in order to make a decision whether an email is spam or not but I never block an email based only on SPF.
For big domains with multiple machines and customers who access the net in many different ways. Having an SPF record with "-all" is a guaranteed way to have your legitimate customer emails blocked at some point.
http://en.wikipedia.org/wiki/Sender_Policy_Framework
Everything I write is lies, read between the lines.
NoScript blocks 'flash' and other payloads -- even fonts (which I know of no exploits for). As for graphical vectors -- I can count the number of those on 1 hand in the past 10-15 years, actually, 1 finger now that I think about it. But you can block
those if that's where your tolerance is.
You have to draw lines somewhere. Technologies that allow some program, written by someone else to run on your machine, just by visiting a website, are where I get uncomfortable. I permit them on reasonable sites and don't worry about them again. I can't see anyone complaining about such -- you can even default to permitting the main site by default which would protect most people from 3rd-party website-hosted scripts -- at least then you just have to trust the websites you visit and not all the websites they or someone else might include.
You are very naive or stupid if you think that 'imperfect protection' == no protection, since no protection is perfect and all protection is 'imperfect', save complete isolation, but then you wouldn't be reading this. This isn't to say that NoScript is a solution to everything, but it would be to the original problem -- a drive-by script load from a noname site. Problem solved. Next?
I've been getting these for several days, at least.
I just now deleted one from two days ago. And they started before then. But I must admit they have been getting more common. I had like 12 just today.
Fonts had a couple of exploits. I am too lazy to trawl my BUGTRAQ archive at the moment, but I can recall at least a few.
In any case, noscript helps, but it is not enough. You can still get nailed by a payload on a site which is in the whitelist. In addition to that, most sites nowdays make such heavy use of Javascript and Flash that you end up tweaking settings for half an hour before you can browse a site.
Baker's Law: Misery no longer loves company. Nowadays it insists on it
http://www.sigsegv.cx/
That is like saying that you don't understand how people can refuse to have sex with an AIDS infected whore. The internet is a very dangerous place without a lot of protection. A little inconvenience is a good trade off. I don't understand you can be on a place like Slashdot and not see this.
Well at least it isn't a car analogy
These posts express my own personal views, not those of my employer
What are you taking about?
I rarely have to tweak more than the main page for most stuff. If I'm actually using the site to post or buy or interact, I sometimes have to enable a static and a script site in addition to the main -- usually a total of 3, _tops_ for full use of most sites -- and those are ones that are not on my white list. I spend far less time on NoScript config/week than I do waiting on the internet in a single day: the same would be true of anyone who knows what they are doing. So your statement doesn't begin to hold water under any circumstance.
I've been infection free since before the internet went public in the early 80's, so I'm not too concerned about doom-sayers, no matter how misinformed they are.
I don't see why, if it's correctly configured. The domain I run has hundreds of machines. There are bigger domains out there, but I don't see how they would be significantly different. "Having an SPF record with -all" simply means you're confident that you know what IP addresses your domain's outgoing mail mail will be sent from. Do you not think most organizations will know the IP addresses of their own outgoing MTAs? Is it so difficult to set up all of an organizations' mail clients so they ALWAYS relay mail through one of those servers?
include $sig;
1;
Well, you can always read the Wikipedia link I posted for a list of potential problems. The linked page contains several links to other pages as well.
I will give you only one example of a company that is said to endorse SPF but don't even use softfail. They use neutral (?all). There must be a reason behind this...
dig txt gmail.com ;; ANSWER SECTION:
gmail.com. 300 IN TXT "v=spf1 redirect=_spf.google.com"
dig txt _spf.google.com ;; ANSWER SECTION:
_spf.google.com. 300 IN TXT "v=spf1 ip4:216.239.32.0/19 ip4:64.233.160.0/19 ip4:66.249.80.0/20 ip4:72.14.192.0/18 ip4:209.85.128.0/17 ip4:66.102.0.0/20 ip4:74.125.0.0/16 ip4:64.18.0.0/20 ip4:207.126.144.0/20 ip4:173.194.0.0/16 ?all"