Cybercriminals are currently spamvertising LinkedIn themed messages, in an attempt to trick end and corporate users into clicking on the malicious links embedded in the emails.
The campaign is using real names of LinkedIn users in an attempt to increase the authenticity of the spamvertised campaign.
Upon clicking on the malicious link, users are presented with a “Please wait page is loading…” page, whereas the malicious URL will try to exploit the “Help Center URL Validation Vulnerability” also known as CVE-2010-1885.
Sample client-side exploitation structure is as follows:
The campaign is ultimately dropping the following malware sample: MD5: 517a86d7fe88aa53658fab1be7b7ef36. The same IP, 126.96.36.199 was also observed as a command and control served used by the following MD5: 02ce2bb3c0d58c9360bb185d6b200e03.
The cybercriminals behind the campaign are currently relying on thousands of compromised legitimate sites, in an attempt to trick web reputation filters into thinking that the payload is not malicious. Combined with the ever-decreasing price for launching a spam campaign through a botnet, the cybercriminals behind the campaign will definitely break-even from their original investment, and achieve a positive ROI (return on investment).
Webroot’s security researchers will continue monitoring the campaign, to ensure that Webroot SecureAnywhere customers are protected from this threat. Meanwhile, end and corporate users are advised to avoid interacting with the emails, to access the LinkedIn.com directly, and to ensure that they’re not running outdated versions of their third-party applications and browser plugins.