A new wave of rogue emails posing as LinkedIn invitations is directing recipients to a page hosting an exploit pack that drops malware on their computers.The messages bear subjects of the form "[Name] at [Company] wants to connect on LinkedIn" and have forged headers to appear as if they originate from a @linkedin.com email address.
It seems the attackers used a legit LinkedIn email template and replaced the target link of the confirmation button.
The body message is LinkedIn's default "I'd like to add you to my professional network on LinkedIn" phrase.
However, the spammers did overlook some details. For example, the name in the subject doesn't match the one in the message.
According to security researchers from messaging security vendor M86, the confirmation button takes recipients to a malicious page on the salesforceappi.com domain name [notice the double p].
The legit salesforceapi.com [single p] belongs to CRM and cloud computing vendor Salesforce and is used to provide information about its API.
"The bogus link salesforceappi[dot]com leads off to a server hosting an exploit kit, which automatically attempts to load malware onto the victim’s computer by using one of a number of ‘canned’ exploits targeting known vulnerabilities," M86's lead security researcher, Phil Hay, warns.
Exploit kits normally target vulnerabilities in popular software like Java, Adobe Reader, Flash Player, or the operating system itself. The exploitation attacks are called drive-by downloads and are very effective because they are usually completely transparent to the victim.
Of course, this is not the first time when spam emails are being passed as official LinkedIn communications. Some of the previous campaigns we reported distributed a variant of the notorious ZeuS banking trojan.