How a LinkedIn notice could empty your bank account

Aug 27, 11 How a LinkedIn notice could empty your bank account

By Dave Michmerhuizen & Luis Chapetti – Security Researchers

Banks

We see a lot of spam at Barracuda Labs.  Sometimes they’re as simple and straightforward as a Viagra ad, but just as often they can be as serious and as devastating as an urban mugging.  We’ve been watching one of those muggings play out over the past few days, and it has reminded us that spam is nothing to take lightly.

Early on the morning of August 23 the spam monitors at Barracuda Labs started detecting a large number of emails claiming to be from LinkedIn.  The quantities were significant, tens of thousands an hour, and these were pretty convincing messages.

Linkedin spam

As convincing as they may be these emails have nothing to do with LinkedIn.  The from address is fake and the “Follow this link” hyperlink leads to one of a set of recently registered domains deliberately set up to serve malicious content

LinkedIn spam

 

Most of these sorts of spam attacks simply link to a malware file which the browser then downloads and offers to run. If an antivirus doesn’t intercept such a file then Windows will ask for permission to run it and it is easy enough to say no.

But this attack is different and much more serious. Each of the malicious domains such as linkedin-reports.com or linkedin-alert.com hosts an exploit kit, a set of malicious payloads that quietly attempt to take advantage of weaknesses in the Web browser and its helper applications.

Clicking on the “follow this link” hyperlink in the message doesn’t appear to have any effect. Nothing seems to happen; however there is a lot going on behind the scenes.

Below is what the behind-the-scenes network traffic looked like.

Network traffic of exploits

(Click for larger image)

This traffic capture shows a series of attacks against Internet Explorer (1), against the Adobe PDF reader plug-in (2) and finally against Windows Media Player (3).  Eventually these exploits result in the download of Trojan.Jorik (4).

Trojan.Jorik is a password stealer which gets right to work, periodically checking in with its command and control server (5).

After contacting the control server the Trojan contacts another server (6) for an interesting – and somewhat scary – configuration file.

Update with phishing HTML

(Click for larger image)

 

These password-stealing Trojans are programmed to insert themselves into the browser stack and can intercept login pages even before they are encrypted by HTTPS.  The list above shows the services that the Trojan is being configured to monitor.  There is more configuration that is not shown in this graphic – pages of HTML code snippets to be injected into login pages. When a login page for one of the monitored sites is displayed, the corresponding code snippet is added to the page. These code snippets ask for additional security questions or special passwords, information the password thieves want but questions that the legitimate login page does not ask.

Having your online banking credentials stolen is serious stuff, especially if the credentials belong to an organization or business with a hefty bank balance.  Consider the most recent story from Brian Krebs about the Cyber Theft of $217,000 from a nonprofit in Nebraska.

 

With so much spam circulating through email servers worldwide, it is easy to become insensitive to the very real danger that  truly malicious spam poses.  Never let down your guard, and never ever follow links in emails even if they appear to be official looking. As you can see from this example, one click can be all it takes.

 

Barracuda Networks customers using the Barracuda Spam & Virus Firewall are protected from these emails.