Malicious LinkedIn Messages Hit Computers with Zeus Malware

Enterprise workstations are being compromised by malware finding its way onto corporate networks by malicious emails sent to look like messages from the LinkedIn social networking site.

Prospective employers and job applicants aren't the only ones using LinkedIn for research. Cyber-criminals are increasingly using the social networking site for professionals to identify potential victims, according to security experts.

Security firm Trusteer uncovered spam messages designed to look almost the same as legitimate notification messages from LinkedIn, Trusteer CEO Mickey Boodaei wrote on the company blog June 2. When users click on the link in the message, usually an invitation to connect with someone, they are redirected to a malicious server in Russia serving up malware.

Through LinkedIn, cyber-criminals can build a profile of targeted enterprises and locate key people within the organization. The spam messages sent to those folks could be used to install malware, which could steal login credentials or other confidential information.

"Sounds unlikely? Well, think again," Boodaei said.

The fraudulent LinkedIn messages take users to a salesforceappi.com domain. Despite the name, the domain has nothing to do with Salesforce.com. It was registered May 31, and the server associated with the IP address is based in Russia.

The users are then hit by drive-by-download attacks based on the BlackHole exploit kit to install the Zeus 2 Trojan on the computer, according to Trusteer. This Zeus variant transmits the stolen data to a server in Zhejiang, China.

This article was originally published on 06-08-2011
eWeek eWeek

Have the latest technology news and resources emailed to you everyday.