Spammers try to dupe LinkedIn users in Zeus attack
Cybercriminals have targeted LinkedIn users in a concerted spam attack, according to Cisco security company IronPort.
Spammers began a campaign on Monday morning, Cisco senior security researcher Henry Stern told ZDNet UK on Tuesday. What differentiated the campaign from others was the scale of the attack and the fact that it targeted business users, he said.
"The combination of extremely high volume and the focus on business users suggests the attackers are interested in employees with access to online bank accounts," said Stern. "We've provided LinkedIn with the information they need to take action against the spammers."
At one point on Monday, over a quarter of the spam hitting Cisco nodes was due to this particular attack, Stern said, with billions of emails being sent. The emails were not targeted, but were designed for LinkedIn users to self-select, he added.
Users of the LinkedIn business social network were encouraged to click on a link in the spam to a fictitious contact.
They were then taken to a compromised website designed to show a holding page containing an inline frame from a second server, entirely controlled by the criminals.
The inline frame then linked to a Trojan downloader. This Trojan downloaded the Zeus data-stealing software via the web browser from a third web server also controlled by the attackers.
The attack has been verified on several versions of Internet Explorer and also affects Firefox, said Stern, adding that dozens of legitimate websites were compromised. ZDNet UK understands these to include prominent US sports sites, among others.
There has only been one reported case of the malware being effective. Dan Tynan, a journalist for technology publication Infoworld, admitted to being taken in by the spam.
"I feel like a complete idiot," wrote Tynan in an article. "I just got taken by a LinkedIn spam that may have just stolen my banking password."
Stern said that there were only a small number of gangs capable of shifting cash out of corporate accounts, but that Cisco was not aware which gang or gangs were behind the spam attack.