Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security Social Networks Spam News

Attack Targets LinkedIn Users With Fake Contact Requests 122

wiredmikey writes "On Monday morning, cybercriminals began sending massive volumes of spam email messages targeting LinkedIn users. Starting at approximately 10am GMT, users of the popular business-focused social networking site began receiving emails with a fake contact request containing a malicious link. According to Cisco Security Intelligence, these messages accounted for as much as 24% of all spam sent within a 15-minute interval today. If users click, they are taken to a web page that says 'PLEASE WAITING.... 4 SECONDS..' and then redirected to Google, appearing as if nothing has happened. During those four seconds, the site attempted to infect the victim's PC with the ZeuS Malware via a 'drive-by download' – something that requires little or no user interaction to infect a system."
This discussion has been archived. No new comments can be posted.

Attack Targets LinkedIn Users With Fake Contact Requests

Comments Filter:
  • NoScript FTW (Score:5, Insightful)

    by robot256 ( 1635039 ) on Monday September 27, 2010 @04:17PM (#33716632)
    NoScript FTW. Seriously.
    • Re: (Score:2, Insightful)

      by Anonymous Coward

      I don't understand how people can stand surfing with NoScript--it's got to be the most obnoxious add-on ever. Worse than those software firewalls that prompt you to to allow/disallow traffic every 3 minutes.

      • Re: (Score:3, Insightful)

        by Anonymous Coward
        Yeah, belts are the same way, I can't stand how they always keep my pants *up* when they might fall down otherwise.
        • You could always buy smaller sized pants.
          • Re: (Score:1, Funny)

            by Anonymous Coward

            You could always buy smaller sized pants.

            Is this still a metaphor for computer security, because I think I got lost somewhere. This never happens with car analogies.

        • by Joebert ( 946227 )
          More like "chastity belt".
      • Re:NoScript FTW (Score:4, Insightful)

        by aekafan ( 1690920 ) on Monday September 27, 2010 @04:29PM (#33716746)
        That is like saying that you don't understand how people can refuse to have sex with an AIDS infected whore. The internet is a very dangerous place without a lot of protection. A little inconvenience is a good trade off. I don't understand you can be on a place like Slashdot and not see this.
        • Re: (Score:2, Funny)

          by Gordonjcp ( 186804 )

          The thing is, noscript doesn'HEY YOU JUST TYPED AN APOSTROPHE, ARE YOU SURE YOU WANT TO ALLOW THIS? (Y/N)t offer much in the way of proHEY YOU JUST TYPED AN O, ARE YOU SURE YOU WANT TO ALLOW THIS? (Y/N)tection and an awful loHEY YOU JUST TYPED AN O, ARE YOU SURE YOU WANT TO ALLOW THIS? (Y/N)t of annoyance.HEY YOU JUST TYPED A FULL STOP, ARE YOU SURE YOU WANT TO ALLOW THIS? (Y/N)

          • by Jurily ( 900488 )

            The thing is, noscript doesn'HEY YOU JUST TYPED AN APOSTROPHE, ARE YOU SURE YOU WANT TO ALLOW THIS? (Y/N)t offer much in the way of proHEY YOU JUST TYPED AN O, ARE YOU SURE YOU WANT TO ALLOW THIS? (Y/N)tection and an awful loHEY YOU JUST TYPED AN O, ARE YOU SURE YOU WANT TO ALLOW THIS? (Y/N)t of annoyance.HEY YOU JUST TYPED A FULL STOP, ARE YOU SURE YOU WANT TO ALLOW THIS? (Y/N)

            Stop using Vista then.

        • That is like saying that you don't understand how people can refuse to have sex with an AIDS infected whore. The internet is a very dangerous place without a lot of protection. A little inconvenience is a good trade off. I don't understand you can be on a place like Slashdot and not see this.

          Well at least it isn't a car analogy

      • Re: (Score:2, Informative)

        It can be a-bit annoying as some sites stuff their pages with js from different sources so you're not sure which you must allow for the video to start playing etc.. But most of the time you end up visiting sites that you've already allowed and the rest of the 90% of the time you don't want to add an allow rule. I've been using it for a long time.

        The obnoxious part must be the default setup, maybe people don't know that you're supposed to hide that bar that pops up on each site saying that it has blocked js,

      • Re: (Score:3, Informative)

        by Abcd1234 ( 188840 )

        Eh, it works fine for me. Enable second-level domain scripts, and explicitly allow a few others (disqus, Google (a lot of people use their copies of jquery, etc), and a few others), and it works pretty well for the most part. Yeah, you occasionally come across a site that you have to "temporarily allow" a bunch of stuff to get it working, but those are the exception, IME.

      • Re: (Score:2, Funny)

        by Anonymous Coward

        I don't understand how people can stand surfing with NoScript--it's got to be the most obnoxious add-on ever. Worse than those software firewalls that prompt you to to allow/disallow traffic every 3 minutes.

        It's not just that; I tried it for a few days, but couldn't figure out where the setting was to disable the "become a smug self-important jackass who has to constantly brag about NoScript in every possible online venue" mode. Since I have this attachment to my dignity and don't go clicking links from random people (and frequently not even from trusted people), I uninstalled it.

        • Haven't you worked it out yet ?

          Whenever a textarea tag is found on a page, NoScript is automatically adding in the glowing references to NoScript, and hitting the submit button.

          No user interaction required. How smart is that ?

      • I don't understand how people can stand surfing with NoScript--it's got to be the most obnoxious add-on ever.

        Yes, it is extremely frustrating to four important groups of people, those being

        1. Malware authors who are perfectionists and want -everyone- to get infected, not just 90%
        2. Advertisers who are convinced that ads that flash at you, pop up a billion ads, and start playing noises are the way to economic recovery
        3. People who can't be bothered to click a part of the window the first time they visit a new website
        4. People who hate not being infected with malware.

        Those people have my deepest sympathies.

    • I don't think NoScipt works in IE.

    • Comment removed based on user account deletion
      • Congratulations, you are immune to malicious links sent to you in email. What about the other millions of links presented to you on web pages? Besides, it's not links that I use NoScript against. It's tracking scripts, pop-up ads, flash junk, and the occasional -- yes -- honest mistake while trying to find something new and interesting. There is an awful lot more to the Internet than just email, and it tends not to be as squeaky-clean as some people make it out to be.
  • by wowbagger ( 69688 ) on Monday September 27, 2010 @04:18PM (#33716652) Homepage Journal

    " sending massive volumes of spam email messages targeting LinkedIn users."

    To paraphrase Mark Twain:

    Imagine you receive a message from LinkedIn. And imagine that it is spam. But I repeat myself.

  • by schon ( 31600 ) on Monday September 27, 2010 @04:21PM (#33716678)

    Linkedin are just a bunch of spammers anyway.

    I got an email from them, claiming that someone I knew wanted me to join. It was a spammer - the "custom message" that was included was a single link to a spam site in China.

    The email had a "if this is spam..." report button, so I used it, and noted to linkedin that I didn't know the person, and it was *obviously* spam (the link was to a spam site.) Their automated system thanked me for reporting the abuse, and I thought that was the end of it.

    Two weeks later, I receive a "helpful reminder" from Linkedin, telling me that I hadn't confirmed or rejected the invitation. Not only had they not taken any action, they helpfully included the spam link, and seemed blissfully unaware that I had reported this spammer's account two weeks prior.

    Linkedin are just a bunch of scummy spammers. I blocked all email from their domain since.

    • Linkedin are just a bunch of scummy spammers. I blocked all email from their domain since.

      That's not enough. Headhunters are going to continue to call you at work. They see where you are working and then just call your company's operator asking for you. Once you put your information on Linkedin it is for sale to anyone that pays them for it.

    • by BitZtream ( 692029 ) on Monday September 27, 2010 @04:40PM (#33716852)

      I blocked all email from their domain since.

      You do realize this current round isn't actually coming from LinkedIn right? Nor does it actually link back to their website?

      Ban their domains 18 ways to sunday, you'll still get the messages.

    • You mean you clicked on something without checking the message header? I get all kinds of bogus phishing and adware site spam-- but I've yet to see them successfully forge a header from a real site.

    • by Zorque ( 894011 )

      I got this probably about the same time you did, some Liu Chang or something wanting me to join. The fact that the site itself keeps sending reminders to join is the worst part, the site itself is spamming you. It's obnoxious.

    • I got an email from them, claiming that someone I knew wanted me to join. It was a spammer - the "custom message" that was included was a single link to a spam site in China.

      Are you sure that LinkedIn actually sent the emails and i the weren't just a spam emails? The spam emails that look to be from LinkedIn are quite good forgeries and I don't recall ever seeing real LinkedIn emails refer to a "custom message".

    • by Inda ( 580031 )
      Same here but customer service was a little more helpful for me.

      Email abuse@linkedin.com asking them to block your email address and you'll never see them again.

      Of course, if Gmail treated them as spam, there wouldn't have been a problem.
  • I got a spam email which looked like a LinkedIn request last week.

    It was immediately obvious that it was fake because it was sent to sales@

  • by Anonymous Coward

    Why do these "drive by download" vulnerabilities exists? Web browsers should be sandboxed to disallow execution of malicious code. Clicking on a hyperlink should just not execute code that runs outside of the browser sandbox. That's jus

    • by Yvan256 ( 722131 )

      I would think the answer if obvious. Sand, you see, is extremely small and could get everywhere inside the computer. That's why companies don't sandbox their products.

      If you want sand, bring your laptop to the beach.

      • by Yvan256 ( 722131 )

        P.S.: Slashdot really needs a "smartass" moderation option. Like funny, wouldn't count toward the karma.

    • Sure, browsers can run java applets which are sandboxed. Probably why phishers don't use java.

  • by BitZtream ( 692029 ) on Monday September 27, 2010 @04:39PM (#33716838)

    LinkedIn spamming started before today, I know as we've got several from last week.

    Today we started getting the netflix emails about 'lost in mail' disks for movies that haven't been requested and/or to users without netflix accounts.

    Way to notice whats going on guys.

    • by marsu_k ( 701360 )
      We had hundreds of these per day a couple of weeks back at work - somehow they got past our spam filter (perhaps LinkedIn was whitelisted), although they were obviously spam. What was odd was the fact that I've registered to LinkedIn with my @gmail address, but the spam came to @work. The part before @ is the same though.
  • I get REAL contact requests from Linked In occasionally. What a pain!
    • The only real contact requests I got on Linked In were spam, just slightly more sophisticated than this. I have never seen that site do anything useful.

      • by Bigbutt ( 65939 )

        That and fricking headhunters who sent me a request for a one day a week, $20 an hour job in Austin Texas.

        Idiots.

        [John]

  • by gad_zuki! ( 70830 ) on Monday September 27, 2010 @04:46PM (#33716904)

    Or is another "Download gdggdsf.exe" and moronic users click on Run?

    So far I've only see "drive by download" which is 100% meaningless. Would it kill them to tell us what exploit, if any is being used?

    • I mean maybe it uses a real exploit, like say the hole in Acrobat Reader. That's been patched now but it is recent so people are probably still vulnerable. Would be nice to know what it is so we know what to look for if a user gets hit.

      • Re: (Score:3, Interesting)

        by GIL_Dude ( 850471 )
        Actually only some of the exploits in Acrobat Reader have been patched. According to the latest security bulletin from Adobe, reader 9.3.4 has critical vulnerabilities and they will release a patch the week of Oct. 4th. So unfortunately you can still get hit with certain Reader/PDF exploits by visiting a site.
  • Why is it no matter how short the message involved in a scam, somehow the English is mangled? It seems like a good malware defense is simply a good understanding of the English language. Please WAITING?

  • I assume that this is a Windows only malware but as usual, no mention is made of platform.
  • Botnets, worldwide botnets.
    What kind of boxes are on on botnets?

    Compaq, HP, Dell and Sony, true!
    Gateway, Packard Bell, maybe even Asus, too.

    Are boxes, found on botnets.
    All running Windows. FOO!

  • by MichaelSmith ( 789609 ) on Monday September 27, 2010 @05:10PM (#33717108) Homepage Journal

    ...but I don't think the have anything to do with my non-neglected linkedin account. Its just normal phishing.

    What I did get yesterday was a telephone spam phishing attempt. They called told me they had detected malware from my system and tried to get me to load a remote administration tool from their web site [irssupport.net]. Take a look at the language on that site "Blue Screen To Death Error", etc. Its hilarious.

    • by !eopard ( 981784 )
      I had a phone call claiming to be from the "Microsoft Certified Technical Department" :o, apparently this IRS group had identified my computer as being ridden with viruses. I was only able to keep them on the phone for 7 mins, but it was sorta funny considering how hard they were trying to get me to open this website. Asking how they obtained my phone number from my IP address seemed to be the clincher in her hanging up. I wish I'd thought to boot a Windows VM box, might've been able to waste more of thei
      • Yeah thats the call I got, about 24 hours ago. I am in Australia. I wish I had let the call go longer. Could be good for endless minutes of lulz.

  • by Nom du Keyboard ( 633989 ) on Monday September 27, 2010 @05:16PM (#33717158)
    I'm ready to execute all malware writers. Put them up against the wall and remove the problem forever. They contribute absolutely nothing of use to society.
    • Re: (Score:2, Troll)

      by Yvan256 ( 722131 )

      And how do you feel about the source of all these problems? Is there someone named B.G. at the top of your list?

    • by feufeu ( 1109929 )
      Jesus christ, are you completely crazy ? Of course it's lots of use to the whole computer-security industry which probably wouldn't even exist if someone didn't take the time to write a new virus/worm/whatever every now and then !

      The more i think the more i cannot exclude that the industry writes the malware on their own...

    • Comment removed based on user account deletion
    • Execute those who execute malicious remote code? What goes around comes around I guess. ;)
    • I'd line them all up and thank them... for providing me with an endless source of income, in the form of poor, helpless clients.
  • Problem solved.

    • Phew, I feel a lot better now. My basement doesn't have any.
    • Re: (Score:1, Insightful)

      by Anonymous Coward

      Thanks for your useful and astute knowledge of the situation. Everybody should just drop their operating system and use a different one, because nobody relies on certain features of that OS or software exclusive to it. You've really done us all a favor.

  • I got 114 spams for Linkedin on two email accounts from the 24th 11:18 pm GMT+2 to 27th 11:50 GMT +2.... 80% of these were blocked automatically by simple rules like checking for Reverse DNS and checking if the sender IP is blacklisted.

    Funny enough, all websites used in the messages point to a file 1.html - I guess they used some bots and some vulnerability of those websites to upload the html file with that particular name.

  • by Linux_ho ( 205887 ) on Monday September 27, 2010 @06:11PM (#33717606) Homepage
    Changing one tilde to a dash would solve this problem for 90% or more of the phishing targets.

    $ dig txt linkedin.com

    ;; ANSWER SECTION:
    linkedin.com.        21600    IN    TXT    "v=spf1 ip4:70.42.142.0/24 ip4:208.111.172.0/24 ip4:64.74.220.0/24 ip4:64.74.221.0/26 ip4:64.71.153.211 ip4:64.74.221.30 ip4:69.28.149.0/24 ip4:208.111.169.128/26 ip4:64.74.98.128/26 ip4:64.74.98.16/29 mx ~all"

    • by ls671 ( 1122017 ) *

      Of course because 90% of routers, firewalls and mail servers have SPF built-in into them and hardwired in a way that it is impossible to disable.

      Seriously about 50% of all domains use SPF.

      On my small domains with a few machines, I do publish SPF records with a "-all" (dash) record but I do not use SPF directly to filter email. I give a small weight when SPF records do not match amongst a lot of other factors in order to make a decision whether an email is spam or not but I never block an email based only o

      • For big domains with multiple machines and customers who access the net in many different ways. Having an SPF record with "-all" is a guaranteed way to have your legitimate customer emails blocked at some point.

        I don't see why, if it's correctly configured. The domain I run has hundreds of machines. There are bigger domains out there, but I don't see how they would be significantly different. "Having an SPF record with -all" simply means you're confident that you know what IP addresses your domain's outgo

  • I had a few each Friday and Saturday and several on Monday. The URL's of the links varied. None of them were linkedin.com.

    Engage brain before clicking.

  • I've been getting these for several days, at least.

    I just now deleted one from two days ago. And they started before then. But I must admit they have been getting more common. I had like 12 just today.

If mathematically you end up with the wrong answer, try multiplying by the page number.

Working...