LinkedIn has more than 90 million members, many of which are business users. 50% of them are located in the US. LinkedIn’s membership includes executives from every company listed on the 2010 Fortune 500!

 Mickey Boodaei, Trusteer's CEO comments,”This makes LinkedIn an ideal platform for cyber criminals to attack enterprise networks. Through LinkedIn, cyber criminals can build a profile of targeted enterprises. They can locate key people within the enterprise and target them with spam emails that would eventually place malware on their computer or steal their log-in credentials to email and other sensitive systems. Sounds unlikely? Well, think again”

 In the last couple of days, Trusteer have witnessed a malware campaign that targets LinkedIn users. It starts with a simple connect request sent to the victim's mailbox. Here is a screen capture of this email:

To enable comparison, this is what a real LinkedIn invitation looks like:

“As you can see, they are pretty much identical so it's hard to notice that the first is fraudulent while the second is genuine. If you click the "Confirm that you know" link on the genuine email, it takes you to LinkedIn's website. However if the same button is clicked on the fraudulent email, it takes you to a malicious website that downloads malware onto your computer, Boodaei continued.

The fraudulent website is hxxp://salesforceappi.com/loginapi.php?tp=1da14085e243eaf9 (http was replaced with hxxp to avoid confusion). Don't try to follow this link or copy it to your browser to avoid getting infected. The domain salesforceappi.com was registered two days ago and the IP address of the server is in Russia. The domain was designed to look like it's associated with Salesforce.com but in fact it has nothing to do with Salesforce.com.

The malicious server uses the BlackHole exploit kit to download malware to the victim's computer. This exploit kit used to sell for $1,500 but was recently made available for free. Its first version appeared on the black market in August 2010. It is based on PHP and has a MySQL database. Thousands of websites have been infected with BlackHole which is used to exploit vulnerabilities on visitors’ computers in order to place malware on them. This attack is also known as Drive By Download.

This specific malicious website uses BlackHole to download the notorious Zeus 2 malware on the victim's computer. Zeus is a well known and highly sophisticated piece of malware. Many mistakenly think that Zeus is only associated with financial fraud. However, we've recently seen evidence of Zeus targeting enterprise networks in order to steal proprietary information and to gain unauthorized access to sensitive systems.

Enterprise users who click this link can get infected with Zeus which will then allow cyber criminals to access their workstation and from there to access sensitive corporate information and data. The attack becomes even more dangerous when users get infected on workstations and laptops that are outside the enterprise network but are used to access the enterprise through VPNs.

Anti-malware detection for this version of Zeus is close to Zero. Only two anti-malware solutions out of 42 detect this variant at the moment. Most of the leading anti-malware solutions do not detect it. Statistics can be seen here: http://www.virustotal.com/file-scan/report.html?id=869579adb68399f2cadc684e49dfed0b149ee250c58e3c21845f1ee2514c5d37-1306969338. This demonstrates how easy it is for malware authors to create variants that completely fly under the radar of anti-malware solutions. The critical time for this attack was the last couple of days and during these last couple of days, there was close to zero protection from anti-malware solutions. Tomorrow's detection rates are irrelevant because by tomorrow there will be different attacks.

Once installed, this variant of Zeus sends the information it steals to the following server in China: hxxp://xwhoisdns.com/msofficepsdx.php (IP address: 122.224.18.36). More information about this server is available here: http://whois.domaintools.com/122.224.18.36

How likely are users to click this link and access this malicious server? A survey we conducted a couple of months and ago shows that 68% of enterprise users who receive a fake LinkedIn message are likely to click on it and get infected with malware. More information about this survey is available here: http://www.trusteer.com/blog/rsa-and-epsilon-research-shows-education-can%E2%80%99t-protect-against-new-social-engineering-attacks

LinkedIn and other social networks educate us to click on links. They send us updates with calls for action on a daily basis and try to encourage us to click on links that increase the usage of their websites. This is extremely dangerous as many users almost automatically click on these links without trying to verify their authenticity. The above example is even more dangerous as LinkedIn integrates the action link into a button which makes it even harder to retrieve the actual link and verify it.

Recent attacks against RSA, Epsilon, Sony, Google, Oak Ridge National Laboratory and many other enterprises demonstrate the vulnerability of endpoints against targeted malware attacks. Cyber criminals are putting a great deal of effort in these attacks and are unfortunately successful.

Recommendations from Trusteer:

For Individuals: never click on email links from social networking websites. We even recommend not opening these emails. Access your social networking website by typing the address into your website. Log into your account and read your messages directly from your account.

For enterprise: your employees' endpoints are highly targeted by cyber criminals. Unmanaged employee devices are the biggest security threat but endpoint devices within the network are also a concern. The fact that you have a leading anti-malware solution installed on your endpoints doesn't mean you're immune to these attacks. They often use zero-day vulnerabilities and zero day malware variants to bypass anti-malware solution. Enterprise should complement their endpoint security with zero-day data protection solution like Trusteer Rapport.

For more information see http://www.trusteer.com/blog