Rogue LinkedIn Emails Direct Users to Zbot Drive-By Download

Rogue emails posing as LinkedIn alerts directs users to a malicious page, which attempts to infect them with a variant of the ZBot information stealing trojan.

The spam campaign was launched yesterday and according to Cisco Security it was the largest such attack known to date, that targeted LinkedIn users.

At one point, the fake emails accounted for well over 25% of the total spam traffic registered by the company's systems.

The messages come with a subject of "LinkedIn Alert" and have their header spoofed to appear as originating from a communication@linkedin.com address.

It appears that spammers have abused a legit LinkedIn email template in order to make the emails look more authentic, a technique we've seen used a lot this summer.

Recipients are reminded of an invitation from a friend and are informed that two pending messages await their response. All links present in the emails have been modified to point to a malicious page.

Users who end up on this website will see a message reading "PLEASE WAITING.... 4 SECONDS," after which they get redirected to Google.

"During those four seconds, the victim’s PC is infected with the ZeuS data-theft malware via a drive-by download," warns Henry Stern, senior security researcher at Cisco's IronPort Systems.

Drive-by downloads are a type of attack, which involves websites infecting visitors' computers with malware in a way that is completely transparent to them.

This is usually achieved by exploiting vulnerabilities in outdated versions of popular applications, such as Flash Player, Adobe Reader, Java or the browsers themselves.

ZBot (ZeuS bot) is a widespread information stealing trojan commonly used by fraudsters to steal online banking credentials, credit card details and other sensitive information.

This attack is particularly worrying because LinkedIn is a social network for professionals. This means that the risks might not be only to them personally, but also the organizations they work for.