Tell the world!
“Join my network on LinkedIn” This was the subject of recent spam emails we received at the Defintel office, and the same subject we have legitimately seen many times before. However, Hussein Matar (skimpinesstul131@rrtrr.net) and Chip Eubank (lucindad0@novamaterialsllc.com) don’t actually share any connections with us. What they wanted to share was malware.
The messages themselves are formed fairly well and not entirely shady looking if you don’t quickly recall what a true LinkedIn request email looks like. Below is the fake:
Every link from Chip takes me to www.rezagroup.net/templates/beez/wps.php?c002, which then directs to hourlydesk.org/closest/209tuj2dsljdglsgjwrigslgkjskga.php.
The first domain www.rezagroup.net appears to be a compromised site with a normally benign intent. just like many of the others used for the initial hosting of the “/templates/beez/wps.php?c002” and “/templates/beez/wps.php?pprec” links used in the spam campaign. Other sites include:
www.mediasoftbd.com
www.polirovka.lv
grhterceirizacoes.com.br
www.debtconnect.com
The second location at hourlydesk.org is hosting blackhole exploit kits and ZeroAccess malware. This domain is currently pointed to 46.4.150.114 which it shares with autorevertpartitionmanagement.biz, another site with the same exploits and malware. The destination URLs for the exploits part of this campaign vary some but commonly fall under the “closest” location:
/closest/209tuj2dsljdglsgjwrigslgkjskga.php
/closest/df7guhoijewpgkegwegko.php
/closest/98y7y432ufh49gj23sldkkqowpsskfnv.php
Some malicious domains sharing these files:
3isjhieuegnirng.mywww.biz
3rtyjjdxgn.ns02.us
3thtyjtyjcc.ns02.us
209wugoirgor.mymom.info
7whwjvlwd.ikwb.com
Be wary of odd looking invitations and use your instincts. If it feels strange, then don’t click. Real LinkedIn invites come from (member@linkedin.com) and include personal information. LinkedIn addresses this very thing in their help center:
In our messages to you, we include a security footer message with your name and professional headline to help you distinguish authentic LinkedIn emails from “phishing” email messages. “Phishing” emails often look very similar to legitimate ones, but they likely wouldn’t have this personalized information and may also contain links that direct you to malicious sites instead of LinkedIn.
-Matt Sully
Additional info and sources:
http://blog.dynamoo.com/2013/02/follow-this-link-spam.html
http://malwaremustdie.blogspot.ca/2013/02/blackhole-of-closest-version-with.html
http://urlquery.net/report.php?id=1186819
http://pastebin.com/UPm0s8r0
Tell the world!
