LinkedIn 'Invitation to Connect' Malware Emails

Outline
Email purporting to be from business focused social network, LinkedIn asks recipients to click buttons to accept or ignore an invitation to connect to a LinkedIn user.



Brief Analysis
The message is not from LinkedIn. Links in the message open various compromised websites that redirect to sites that harbour malware. This malware campaign is very similar to another current campaign that uses fake 'blocked account' notifications purporting to be from Facebook. If you receive one of these messages, do not follow any links that it may contain.

Enter your email address to subscribe to the Hoax-Slayer Newsletter:

Last updated: October 17, 2012
First published: October 17, 2012
Article written by Brett M. Christensen
Research by Brett Christensen, Matthew Christensen
About Brett Christensen and Hoax-Slayer

Example


Detailed Analysis
This email, which masquerades as a member invitation from popular business focused social network LinkedIn, asks recipients to respond to the invitation by clicking either "Accept" or "Ignore". The message also includes an unsubscribe link and a link supposedly leading to more information about the message. The email includes the LinkedIn logo and looks very similar to a genuine LinkedIn invitation message.

However, the message is not from LinkedIn. All of the links in the message lead to compromised websites that have no connection to LinkedIn. Once a user lands on one of these websites, they are given the message, "Please wait.....connecting to server". The site then redirects to a another website that harbours malware. Typically, it appears that the sites contain a version of the criminal toolkit known as the BlackHole Exploit Kit. BlackHole is a web application used by criminals to exploit browser vulnerabilities as a means of downloading and installing trojans and other types of malware.

Facebook users are also currently being targeted in a very similar malware/phishing campaign in which they receive fake "blocked account" notifications purporting to be from "The Facebook Team". And another recent BlackHole campaign used fake emails claiming to be from payroll company ADP.

In fact, LinkedIn has regularly been targeted in such malware and phishing attacks. A similar distribution of bogus LinkedIn invitations took place back in September 2010, and there have been various other such attempts since. Always ensure that LinkedIn messages are really from LinkedIn. Scam emails often use HTML to disguise links in their bogus messages. Holding the mouse cursor over a link in the email should display the underlying web address in your email client's status bar and allow you to easily detect if the link is disguised.

It is always safest to login to all of your online accounts by entering the account web address into your browser's address bar rather than by clicking a link in an email.






References
Facebook 'Blocked Account' Scam Email
ADP 'Transaction Reports' Malware Email
Fake LinkedIn Invitation Emails Point to Malware
Fake LinkedIn Email Leads to Pharmacy Spam Websites
Check Links in HTML Emails

---

Pages in this issue:

1. Spiderman Window Cleaners Picture
2. Post Circulating Rekindles a 1990's Anti-Margarine Email
3. Rey Mysterio is NOT Dead
4. UN Observers at USA Polls Protest Message
5. Urban Legend - NASA Scientists Discover Biblical 'Missing Day'
6. Windows Email Security Update Phishing Scam
7. Does a Circulating Image Show A Rapist Coach Slashed by a Protective Mother?
8. Hoax - 400 Marine Corps Dogs Need Homes
9. Skype 'lol is this your new profile pic' Ransomware Warnings
10. 'News Report' Claims Gonorrhea Spread Through Air
11. DealsDirect Phishing Scam
12. Facebook 'Blocked Account' Scam Email
13. Bank of Queensland 'Security Message' Phishing Scam
14. LinkedIn 'Invitation to Connect' Malware Emails
15. Lloyds TSB 'Internet Banking Account Status' Phishing Scam
16. NASA JPL Twitter Account Retweets Anti-Romney Material