We are currently seeing a malicious spam campaign purporting to be a notification from LinkedIn. The messages look realistic, but the giveaway is the bogus link exposed when you hover over the confirm button.
The bogus link salesforceappi[dot]com leads off to a server hosting an exploit kit, which automatically attempts to load malware onto the victim’s computer by using one of a number of ‘canned’ exploits targeting known vulnerabilities.
The campaign is very similar to one we saw last September, also using LinkedIn and also leading to an Exploit Kit. Real notifications from these sorts of social networking sites are commonplace and the bad guys are preying on this. Remember, just because it looks legit, doesn’t mean it is.
Update: 7 June
After some investigation, we identified the exploit kit as the Blackhole kit, and managed to gain access to its control panel. Below is an interesting statistics page that shows:
- Successful malware ‘loads’ at 17.55%
- Successful loads against most browsers, with Internet Explorer at the top with 28.25% of loads
- Successful loads on a range of operating systems
- Java exploits account for 80% of successful loads, and PDF exploits account for a further 12%.
The moral of the story is to keep your software updated, impeccably, at all times. Particularly Java and PDF readers.
Thanks to Daniel Chechik who assisted with details on the Blackhole Exploit kit.