March 23, 2012Dancho Danchev By Dancho Danchev

Spamvertised LinkedIn notifications serving client-side exploits and malware

Cybercriminals are currently spamvertising LinkedIn themed messages, in an attempt to trick end and corporate users into clicking on the malicious links embedded in the emails.

The campaign is using real names of LinkedIn users in an attempt to increase the authenticity of the spamvertised campaign.

More details:

Upon clicking on the malicious link, users are presented with a “Please wait page is loading…” page, whereas the malicious URL will try to exploit the “Help Center URL Validation Vulnerability” also known as CVE-2010-1885.

Sample client-side exploitation structure is as follows:


The campaign is ultimately dropping the following malware sample: MD5: 517a86d7fe88aa53658fab1be7b7ef36. The same IP, was also observed as a command and control served used by the following MD5: 02ce2bb3c0d58c9360bb185d6b200e03.

The cybercriminals behind the campaign are currently relying on thousands of compromised legitimate sites, in an attempt to trick Web reputation filters into thinking that the payload is not malicious. Combined with the ever-decreasing price for launching a spam campaign through a botnet, the cybercriminals behind the campaign will definitely break-even from their original investment, and achieve a positive ROI (return on investment).

Webroot’s security researchers will continue monitoring the campaign, to ensure that Webroot SecureAnywhere customers are protected from this threat. Meanwhile, end and corporate users are advised to avoid interacting with the emails, to access the directly, and to ensure that they’re not running outdated versions of their third-party applications and browser plugins.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.

Share Button

11 Responses to Spamvertised LinkedIn notifications serving client-side exploits and malware

    • Hi Eddie – Thanks for checking out our blog! That would be just fine. Feel free to use any of the content you find on our blog with a link back to the post you found it on.

  1. I’ve been using LinkedIn for quite some time, and I’ve only recieved a couple messages that seemed to me to be spam, and honestly, they weren’t that bad. This is really bad what you’re talking about here. I really glad I know about this now so that I can make sure to keep an eye out for these exploits. Thanks so much for this info.

  2. Pingback: Spamvertised Verizon-themed ‘Your Bill Is Now Available’ emails lead to ZeuS crimeware « Webroot Threat Blog

  3. Pingback: Spamvertised ‘US Airways’ themed emails serving client-side exploits and malware « Webroot Threat Blog

  4. Pingback: A peek inside a managed spam service « Webroot Threat Blog

  5. Pingback: Ongoing ‘LinkedIn Invitation’ themed campaign serving client-side exploits and malware « Webroot Threat Blog

  6. I agree with Nic, I have not seen a lot of spam coming through linkIn, but the stuff you’ve identified here is pretty clever and could be pretty damaging. Thanks for the info.

  7. Pingback: Spamvertised ‘Your order confirmation’ emails serving client-side exploits and malware « Webroot Threat Blog

  8. Pingback: Ongoing spam campaign impersonates LinkedIn, serves exploits and malware « Webroot Threat Blog

  9. Pingback: Spamvertised ‘US Airways reservation confirmation’ themed emails serve exploits and malware « Webroot Threat Blog

Leave a Reply

Your email address will not be published. Required fields are marked *