MSFN Forum: Fake LinkedIn Messages Install Zeus Malware on Victims' Computers

Social networking site LinkedIn is being used to find victims and then to send maliciously crafted emails to compromise enterprise workstations. Prospective employers and job applicants aren’t the only ones using LinkedIn for research. Cyber-criminals are increasingly using the social networking site for professionals to identify potential victims, according to security experts.

Security firm Trusteer uncovered spam messages designed to look almost the same as legitimate notification messages from LinkedIn, Trusteer CEO Mickey Boodaei wrote on the company blog June 2. When users click on the link in the message, usually an invitation to connect with someone, they are redirected to a malicious server in Russia serving up malware.

Through LinkedIn, cyber-criminals can build a profile of targeted enterprises and locate key people within the organization. The spam messages sent to those folks could be used to install malware, which could steal login credentials or other confidential information.

“Sounds unlikely? Well, think again,” Boodaei said.

The fraudulent LinkedIn messages take users to a salesforceappi.com domain. Despite the name, the domain has nothing to do with Salesforce.com. It was registered May 31, and the server associated with the IP address is based in Russia.

The users are then hit by drive-by-download attacks based on the BlackHole exploit kit to install the Zeus 2 Trojan on the computer, according to Trusteer. This Zeus variant transmits the stolen data to a server in Zhejiang, China.

More @ eWeek