March 23, 2012 By Dancho Danchev

Spamvertised LinkedIn notifications serving client-side exploits and malware

Cybercriminals are currently spamvertising LinkedIn themed messages, in an attempt to trick end and corporate users into clicking on the malicious links embedded in the emails.

The campaign is using real names of LinkedIn users in an attempt to increase the authenticity of the spamvertised campaign.

More details:

Upon clicking on the malicious link, users are presented with a “Please wait page is loading…” page, whereas the malicious URL will try to exploit the “Help Center URL Validation Vulnerability” also known as CVE-2010-1885.

Sample client-side exploitation structure is as follows:

hxxp://therapower.com/jmwaWRj9/index.html
hxxp://174.133.92.122/MgGsg1Pp/js.js
hxxp://176.28.18.135:8080/showthread.php?t=73a07bcb51f4be71
hxxp://176.28.18.135:8080/content/Qai.jar
hxxp://176.28.18.135:8080/content/ap2.php?f=14095

The campaign is ultimately dropping the following malware sample: MD5: 517a86d7fe88aa53658fab1be7b7ef36. The same IP, 176.28.18.135 was also observed as a command and control served used by the following MD5: 02ce2bb3c0d58c9360bb185d6b200e03.

The cybercriminals behind the campaign are currently relying on thousands of compromised legitimate sites, in an attempt to trick Web reputation filters into thinking that the payload is not malicious. Combined with the ever-decreasing price for launching a spam campaign through a botnet, the cybercriminals behind the campaign will definitely break-even from their original investment, and achieve a positive ROI (return on investment).

Webroot’s security researchers will continue monitoring the campaign, to ensure that Webroot SecureAnywhere customers are protected from this threat. Meanwhile, end and corporate users are advised to avoid interacting with the emails, to access the LinkedIn.com directly, and to ensure that they’re not running outdated versions of their third-party applications and browser plugins.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.

Share Button

Trackbacks

  1. […] Now where have we seen this IP before? In last week’s “Spamvertised LinkedIn notifications serving client-side exploits and malware” malware campaign where 176.28.18.135 was serving  client-side exploits through the […]

  2. […] Based on the campaign’s structure, it’s launched by the same gang of cybercriminals that recently launched the following campaigns “Spamvertised Verizon-themed ‘Your Bill Is Now Available’ emails lead to ZeuS crimeware” ; “Spamvertised LinkedIn notifications serving client-side exploits and malware“. […]

  3. […] customer could easily request the design of spam templates impersonating Google, Facebook, USPS, LinkedIn, U.S Airways, or Verizon […]

  4. […] the ‘LinkedIn Invitations’ themed malware campaign which I profiled in March, […]

  5. […] the LinkedIn exploits and malware serving campaigns which I profiled in March, and […]

  6. […] Verizon-themed ‘Your Bill Is Now Available’ emails lead to ZeuS crimeware” ; “Spamvertised LinkedIn notifications serving client-side exploits and malware“ campaigns, leading us to the conclusion that it’s the same cybercriminal/gang of […]

true