Debunking email hoaxes and exposing Internet scams since 2003!

Hoax-Slayer Logo Hoax-Slayer Logo

DividerDivider
Home    About    New Articles    RSS Feed    Subscriptions    Contact
DividerDivider
Bookmark and Share









LinkedIn 'Invitation to Connect' Malware Emails

Outline
Email purporting to be from business focused social network, LinkedIn asks recipients to click buttons to accept or ignore an invitation to connect to a LinkedIn user.



Brief Analysis
The message is not from LinkedIn. Links in the message open various compromised websites that redirect to sites that harbour malware. This malware campaign is very similar to another current campaign that uses fake 'blocked account' notifications purporting to be from Facebook. If you receive one of these messages, do not follow any links that it may contain.

Bookmark and Share





Last updated: October 17, 2012
First published: October 17, 2012
Article written by Brett M. Christensen
Research by Brett Christensen, Matthew Christensen
About Brett Christensen and Hoax-Slayer


Example
From: LinkedIn.Invitations
Subject: Invitation


Hi [email address removed]

David sent you an invitation to connect 4 days ago. How would you like to respond?

Accept Ignore Privately

[Name Removed]
OfficeMax (Divisional Managing Director)


LinkedIN Malware Email



Detailed Analysis
This email, which masquerades as a member invitation from popular business focused social network LinkedIn, asks recipients to respond to the invitation by clicking either "Accept" or "Ignore". The message also includes an unsubscribe link and a link supposedly leading to more information about the message. The email includes the LinkedIn logo and looks very similar to a genuine LinkedIn invitation message.

However, the message is not from LinkedIn. All of the links in the message lead to compromised websites that have no connection to LinkedIn. Once a user lands on one of these websites, they are given the message, "Please wait.....connecting to server". The site then redirects to a another website that harbours malware. Typically, it appears that the sites contain a version of the criminal toolkit known as the BlackHole Exploit Kit. BlackHole is a web application used by criminals to exploit browser vulnerabilities as a means of downloading and installing trojans and other types of malware.

Facebook users are also currently being targeted in a very similar malware/phishing campaign in which they receive fake "blocked account" notifications purporting to be from "The Facebook Team". And another recent BlackHole campaign used fake emails claiming to be from payroll company ADP.

In fact, LinkedIn has regularly been targeted in such malware and phishing attacks. A similar distribution of bogus LinkedIn invitations took place back in September 2010, and there have been various other such attempts since. Always ensure that LinkedIn messages are really from LinkedIn. Scam emails often use HTML to disguise links in their bogus messages. Holding the mouse cursor over a link in the email should display the underlying web address in your email client's status bar and allow you to easily detect if the link is disguised.

It is always safest to login to all of your online accounts by entering the account web address into your browser's address bar rather than by clicking a link in an email.


Bookmark and Share

References

Facebook 'Blocked Account' Scam Email
ADP 'Transaction Reports' Malware Email
Fake LinkedIn Invitation Emails Point to Malware
Fake LinkedIn Email Leads to Pharmacy Spam Websites
Check Links in HTML Emails


Last updated: October 17, 2012
First published: October 17, 2012
Article written by Brett M. Christensen
Research by Brett Christensen, Matthew Christensen
About Brett Christensen and Hoax-Slayer