“Join my network on LinkedIn” This was the subject of recent spam emails we received at the Defintel office, and the same subject we have legitimately seen many times before. However, Hussein Matar (email@example.com) and Chip Eubank (firstname.lastname@example.org) don’t actually share any connections with us. What they wanted to share was malware.
The messages themselves are formed fairly well and not entirely shady looking if you don’t quickly recall what a true LinkedIn request email looks like. Below is the fake:
Every link from Chip takes me to www.rezagroup.net/templates/beez/wps.php?c002, which then directs to hourlydesk.org/closest/209tuj2dsljdglsgjwrigslgkjskga.php.
The first domain www.rezagroup.net appears to be a compromised site with a normally benign intent. just like many of the others used for the initial hosting of the “/templates/beez/wps.php?c002” and “/templates/beez/wps.php?pprec” links used in the spam campaign. Other sites include:
The second location at hourlydesk.org is hosting blackhole exploit kits and ZeroAccess malware. This domain is currently pointed to 126.96.36.199 which it shares with autorevertpartitionmanagement.biz, another site with the same exploits and malware. The destination URLs for the exploits part of this campaign vary some but commonly fall under the “closest” location:
Some malicious domains sharing these files:
Be wary of odd looking invitations and use your instincts. If it feels strange, then don’t click. Real LinkedIn invites come from (email@example.com) and include personal information. LinkedIn addresses this very thing in their help center:
In our messages to you, we include a security footer message with your name and professional headline to help you distinguish authentic LinkedIn emails from “phishing” email messages. “Phishing” emails often look very similar to legitimate ones, but they likely wouldn’t have this personalized information and may also contain links that direct you to malicious sites instead of LinkedIn.
Additional info and sources: