Cisco Security Tracks LinkedIn Spam Attack

September 27, 2010 - 0 Comments

Starting this morning—Monday, September 27, at 10am GMT—cyber criminals sent spam email messages targeting users of the LinkedIn social media community. This is the largest such attack known to date.

LinkedIn Spam Table 1

In the attack, victims are emailed an alert that contains a link with a fictitious social media contact request. This morning, these messages accounted for as much as 24% of all spam sent within a 15-minute interval. Clicking the link takes victims to a web page that says, “PLEASE WAITING…. 4 SECONDS,” and redirects them to Google. During those four seconds, the victim’s PC is infected with the ZeuS data-theft malware via a drive-by download. ZeuS embeds itself in the victim’s web browser and captures personal information, such as online banking credentials, and is widely used by criminals to pilfer commercial bank accounts.

LinkedIn Spam

This is not the first time that criminals have subverted brands associated with online social media. The criminals controlling the Cutwail botnet routinely send email messages impersonating major social networks and governmental organizations. What makes this attack unique is the combination of the extremely high volume of messages transmitted, the focus on business users, and the use of the ZeuS data-theft malware. This strongly suggests that the criminals behind this attack are most interested in employees with access to financial systems and online commercial bank accounts. According to the FBI’s Internet Crime Complaints Center, criminals stole more than US$100m in 2009 from commercial bank accounts using this and similar methods.

Organizations should encourage individuals to delete such requests, especially if they do not know the name of the contact. This is the second spam attack this month of this magnitude, preceded by the “Here You Have” email worm a few weeks ago. Cisco expects to see more spam messages containing malware sent to organizations in an attempt to collect personal information.

In an effort to keep conversations fresh, Cisco Blogs closes comments after 60 days. Please visit the Cisco Blogs hub page for the latest content.