Researchers Find LinkedIn Spam Downloads Trojan

Monday, August 29, 2011



Researchers from Barracuda Labs have discovered a spam email operation with spoofed headers making the messages appear to be from the professional social network LinkedIn.

The threat is unique in that the operation is utilizing an exploit toolkit which circumvents HTTPS protection and allows the downloading of a password sniffing Trojan.

"Early on the morning of August 23 the spam monitors at Barracuda Labs started detecting a large number of emails claiming to be from LinkedIn.  The quantities were significant, tens of thousands an hour, and these were pretty convincing messages," Barracuda reports.

A sample of the suspected spam emails appears as the following:

Linkedin spam

Barracuda reports that the header URL in the "From" section is spoofed, and that the URL in the body of the text exposes the target to malicious code:

LinkedIn spam

Usually the target's antivirus will detect the malicious code, else the attempt to execute the code will prompt Windows to display a request for the malicious code to be allowed to run.

What makes this attack more insidious is the use of an exploit kit which may prevent users from knowing that the malicious code is being executed.

"But this attack is different and much more serious. Each of the malicious domains such as or hosts an exploit kit, a set of malicious payloads that quietly attempt to take advantage of weaknesses in the Web browser and its helper applications. Clicking on the 'follow this link' hyperlink in the message doesn’t appear to have any effect. Nothing seems to happen; however there is a lot going on behind the scenes," Barracuda reports.

Analysis of the traffic upon execution of the malicious code shows the Adobe Reader plugin, Windows Media Player and Internet Explorer which result in the download of the Jorick Trojan.

Jorick is a password sniffing Trojan that will contact a command and control server to download a configuration file that poses a serious threat by seeking to trick targets into revealing sensitive security protocols, like the answers to security questions.

"These password-stealing Trojans are programmed to insert themselves into the browser stack and can intercept login pages even before they are encrypted by HTTPS... When a login page for one of the monitored sites is displayed, the corresponding code snippet is added to the page. These code snippets ask for additional security questions or special passwords, information the password thieves want but questions that the legitimate login page does not ask," Barracuda notes.

Always exercise caution when confronted with emails even if they appear to be legitimate communications from trusted sources.


Possibly Related Articles:
Passwords SPAM malware Headlines Malicious Code LinkedIn Barracuda Networks Sniffer Jorick Trojan
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.