Rogue LinkedIn Profiles Lead To Malware
Tuesday January 6, 2009 at 6:33 am CST
Posted by Micha Pekrul
LinkedIn is a popular social networking site where you can manage business contacts online. Since you can set up a profile with links to your own website, it seems to attract criminals’ attention as well. A Google search reveals that several hundred fake LinkedIn profiles from nude “Kirsten Dunst” to nude “Hulk Hogan” exist already. The rogue profiles look all alike, with a picture of the celebrity and three links to the parts of the “nude video” like shown in the following picture.
This is exactly the lure - don’t follow these links! The linked websites contain obfuscated script code which decodes to a simple browser redirection. This obfuscated script code is proactively detected by McAfee as “Exploit-IFrame.gen.c” already.
If you’d follow the link (don’t do that!) to see how deep the rabbit hole goes, you will end up with a Traffic Management System like described in this Avert Labs blog entry. On every reload the server-side application will point to a different domain.
So when an unsuspecting user gets tricked to follow the lure, he will end up on different malicious websites trying the classical social-engineering tricks of either the “missing video codec” or of showing a fake AV scan and telling that the user his computer was infected with malware and offering a “free” AV scanner software, which in fact is the real threat. So beware when following links, even on trusted Web 2.0 platforms like LinkedIn. Especially when they promise some nude celebrity videos.
January 6th, 2009 at 14:00
[...] Rogue LinkedIn Profiles Lead To Malware, McAfee Avert Labs Blog [...]
January 7th, 2009 at 00:38
[...] Specifically, McAfee researchers said in a blog post that they have recently observed a noticeable uptick in fake profiles being posted to LinkedIn that harbor links to external sites bearing malware infections. eWeek explains it here. A Google search reveals that several hundred fake LinkedIn profiles from nude “Kirsten Dunst” to nude “Hulk Hogan” exist already. The rogue profiles look all alike, with a picture of the celebrity and three links to the parts of the “nude video” like shown in the following picture. McAfee reports it here. [...]
January 7th, 2009 at 05:35
Where can I get McAfeee FileInsight?
January 7th, 2009 at 08:12
[...] 8:02 am If you are a Linkedln user, use caution if you see a celebrity profile. According to McAfee, A Google search reveals that several hundred fake LinkedIn profiles from nude “Kirsten Dunst” [...]
January 7th, 2009 at 08:56
[...] reports that they have recently observed a noticeable uptick in fake profiles being posted to LinkedIn that [...]
January 7th, 2009 at 13:52
Hey, I love the way you guys are incorporating animation into your blogs. As a blogger myself, can I ask what software you use to do this?
January 7th, 2009 at 17:01
[...] set up several hundred fake LinkedIn profiles, McAfee has discovered. Each looks like it’ll show you how hot a celeb looks naked. Instead, it’ll show you [...]
January 8th, 2009 at 09:31
The FileInsight tool can be found here:
http://www.webwasher.de/download/fileinsight/
And they’re using animated GIF’s for the animated images.
January 8th, 2009 at 19:50
http://www.webwasher.de/download/fileinsight/
January 14th, 2009 at 05:45
[...] McAfee researchers said in a blog post that they have recently observed a noticeable uptick in fake profiles being posted to LinkedIn that [...]
February 17th, 2009 at 14:07
[...] McAfee: Rogue LinkedIn Profiles Lead To Malware [...]
March 21st, 2009 at 19:54
hello sir,i am from india and i am very big fan of your blog.i read it regularly.i am in 3rd year of computer sci. engineering and i also want to be a security researcher like you people.can you please tell me what cources i have to do and from where ?
May 26th, 2009 at 06:47
As a thumb rule, whenever there is an iframe injected with a url embedded should alarm that there’s something fishy.
The problem with this particular trojan is because by default most of the scanners do not detect it.