LinkedIn Zeus spam run targets prospective business marks
Cybercrooks on Tuesday targeted users of the LinkedIn social network with a spam attack aimed at infecting victims with the infamous Zeus Trojan.
Prospective marks were emailed an alert link that posed as a social media contact request but actually sent victims to a malware-loaded site that attempted to infect users via a drive-by download attack. The onslaught of malicious spam targeting LinkedIn users accounted for 24 per cent of all junk mail for around 15 minutes after 11:00 UK time on Tuesday, according to network and security firm Cisco.
Cisco said the combination of a concentrated burst of attack lure emails, the focus on business users, and the use of the Zeus data-theft malware distinguishes the attack from other malicious email spam runs. The networking firm reckons the unknown miscreants behind the attack are probably targeting employees with access to financial systems and online commercial bank accounts.
More on the attack, along with a screenshot of a spam sample, can be found in a blog post by Cisco here.
I am a first class spam fighter and have been for a decade.
I am a small web/mail hosting provider - I have written many defence systems and is now as comprehensive as it is possible to be without throwing out the baby with the bathwater.
My system is almost fully automatic now - last few *years* worth of sendmail logs are stored in a mysql database and a history of 1.1 million ip addresses.
Attempts to send mail and other abuses by zombies are tracked and logged. If it violates some rules, spf failures, rbls, mail attacks, no reverse lookup etc, then the ip address is banned using iptables for 10 days times the number of bans, added to an RBL and a munged history log of the addresses activity is sent to the ISP that owns the netblock. If no abuse address is given, then all available addresses are mailed after checking a local learned blacklist of bad or delinquent ISPs. If they don't want my reports, I can't force them to accept them.
I have similar monitoriing and complaint systems with various rules for ftp, ssh, pop3 and web brute force attempts and probes.
Any messages that are accepted go through a lot of spam checks - high scoring spam gets quarantined and automatically fed into spamassassin's Bayesian filters, added to my RBL and sent to Spamcop. Unfortunately confirming these is still manual on their site.
Borderline scoring spam gets quarantined and goes to a special mail account for submitting to spamcop or unquarantining - manual I'm afraid, but there are very few false positives.
I send hundreds of complaints a day.
There appear to be no laws anywhere that force an ISP to look after their customers.
There appear to be no laws anywhere that force an ISP to halt abuse from their networks.
There is no way to fix users that are too stupid to realise they are too stupid to use the net.
Educating users is proving impossible. Even patching all known vulnerabilities and up to date virus scanners won't stop people from installing trojan software. Most spam is nowadays coming from Russia, Vietnam, South America, Ukraine, Belarus, Korea, Taiwan and increasingly Africa where many just aren't aware of the dangers, and most people use pirated and hence unpatched Windows XP.
Outlook does not show the real country of origin of a mail, which would help users think twice.
The linked-in mails were expertly put together, only the mail header and the false url gave them away, and even then had to look hard as the Received: field was forged to look as if linked-in had handled it first.
Not enough people use SPF and DKIM and use -all or enforce dkim discardable policies.
Even paypal doesn't use -all, but this still only useful if the receiver pays attention to SPF/DKIM and mail forwarding or mailing lists can break these.
The only way to influence an ISP is to hit their bottom line - if customers can realise their ISP is being blocked by not fixing zombies and admonishing hackers then they could go elsewhere, but many places don't have alternative ISPs.
Google, Yahoo, MSN, Badoo, Akamai, mail.ru et al are too chicken to blanket block delinquent ISPs because they need the clicks.
95% of reports fall on deaf ears.
However, I do have some successes in bringing compromised machines to an owners' attention and that makes it worthwhile.
Now, if I could just put my Heath Robinson system into a form that could be distributed for others to use, then we can overload ISPs abuse mailboxes and blacklist them more effectively and hopefully get more response, but this would just escalate the war. The big players need to do more to influence behaviour.
"Cybercrooks on Tuesday targeted users of the LinkedIn social network with a spam attack "
should be(or something similar): Cybercrooks on Tuesday targeted random e-mail accounts with a spam message that tries to pass off as an official message related to the LinkedIn social network.
I only say this because I have no account on linkedin(never will too along with all other web 2.0 sites) and have roughly 4-500 of these sitting in my spam virus folder in my e-mail client for one of my e-mail addresses. So its not just targeting linkedin users but anyone at random. And I'm sure some who do not have linkedin accounts will still click on it and install the malware.
Since they all used the same forged "from" address I crudely added it to the exchange recipient filter, sorted that until people complain (if anyone actually uses linkedin) by that time I will have forgotten what I did...