Never mind the NSA, here is LinkedIn Intro

LinkedIn recently announced LinkedIn Intro which is an add-in to the iOS mail app, allowing you do display a contact's LinkedIn data in the message you are reading by injected code into the datastream. This is of marginal use to most people, and many reader will recognise this as being something that annoying browser plugins have done for some time.

Despite LinkedIn's Pledge of Privacy, many people are concerned that LinkedIn is intercepting and reading your email. I don't believe that LinkedIn is at all interested in the content of your email, but I do believe that it is interested in finding out who you contact instead in order to sell its so-called "product" on to more and more people.

Here's a thing - I use LinkedIn under an assumed name, but somehow LinkedIn thinks that I may know various people. Now, some of those are obviously connected to my fake profile.. but then it suggested that I know my own wife. We obviously I do, but the fake profile has no connection to her.. so the only source of this information must have been our shared IP address at home.

Then LinkedIn goes on a data-mining spree and suggests that I know all my coworkers who I also share an IP address with - which is true, but the fake profile I created does not. So, it seems pretty clear that LinkedIn uses your IP address to match you up with others.

LinkedIn has often been accused of rummaging through people's mailboxes without permission, but in this case it was not possible as my LinkedIn account is not linked to any mailboxes and uses a different username and password, so IP address is the only logical source of this.

But one day my wife (an occasional LinkedIn user) reported something very creepy indeed.. it reported that she may know a relative of mine that she does not really ever contact. And then some time later, I had another relative pop up in my fake profile. Where the hell does this information come from?

I have several theories about what is going on, including a deep suspicion that LinkedIn creates shadow profiles of non-members, and that it also includes hidden data about the relationships of members as well.. but those are just my opinions and I have nothing concrete to back them up. But what I do know from playing around with fake profiles is that LinkedIn is extremely clever and building up a network of suggested contacts whether you want them to or not.

LinkedIn's primary resource is the personal connections of its users. And just possibly that extends to shadow profiles of non-users as well. And that brings us back to LinkedIn Intro.. the quickest way of building up a truly massive collection of data about personal relationships is to do a traffic analysis on their email. You don't need to know the content, but if you know who they send and receive emails from then you will easily enumerate their professional and personal relationships. And then you can monetise that.

In the end, it doesn't matter if you sign up for LinkedIn Intro or not, because if just one person in your email chain does us it, then there's the possibility that LinkedIn will slurp up all that data for its own use.

LinkedIn has been accused by some of being the creepiest social network, and some commentators have gone even deeper into the risks of using Intro. There's even a lawsuit claiming that LinkedIn hacked email contacts but actually I suspect that LinkedIn wouldn't even need to bother doing that as it is clearly very efficient in working out contacts without it.

I suspect that at some point the issue of LinkedIn's data gathering will become a big issue, and the company will either need to explain exactly how it collects its data or perhaps someone on the inside will leak it out. Are they doing something illegal? Probably not. Are they doing something very creepy? Almost definitely yes.

"My resume" spam / Resume_LinkedIn.exe

This rather terse spam email message has a malicious attachment:

Date:      Thu, 24 Oct 2013 15:45:37 +0200 [09:45:37 EDT]
From:      Elijah Parr [Elijah.Parr@linkedin.com]
Subject:      My resume

Attached is my resume, let me know if its ok.

Thanks,
Elijah Parr

------------------------

Date:      Thu, 24 Oct 2013 19:14:37 +0530 [09:44:37 EDT]
From:      Greg Barnes [Greg.Barnes@linkedin.com]
Subject:      My resume

Attached is my resume, let me know if its ok.

Thanks,
Greg Barnes 

The attachment is Resume_LinkedIn.zip which in turn contains a malicious executable Resume_LinkedIn.exe with an icon to make it look like a Word Document rather than an executable.

VirusTotal is timing out at the moment, but earlier only one AV engine detected it (Norman). Automated analysis tools [1] [2] show an attempted connection to homevisitor.co.uk on 64.50.166.122 (Lunarpages, US). This server was distributing malware last month too, so we must assume that it is compromised. Blocking that IP address would probably be a good idea as there are several other compromised domains on that same server [1] [2].

LinkedIn spam / Contract_Agreement_whatever.zip

This fake LinkedIn spam has a malicious attachment:

Date:      Wed, 16 Oct 2013 11:57:55 -0600 [13:57:55 EDT]
From:      Shelby Gordon [Shelby@linkedin.com]

Attached is your new contract agreements.

Please read the notes attached, then complete, sign and return this form.

Shelby Gordon
Contract Manager
Online Division - LinkedIn
Shelby.Gordon@linkedin.com
Office: 302-449-8859 Ext. 33
Direct: 302-184-9426

This email was intended for dynamoo@spamcop.net.
© 2013, LinkedIn Corporation. 2029 Stierlin Ct. Mountain View, CA 94043, USA 

The attachment has the format Contract_Agreement_recipientname.zip and in turn contains a malicious executable Contract_Agreement_10162013.exe (note the date encoded into the filename). VirusTotal detections are 10/48.

Automated analysis tools [1] [2] [3] show an attempted connection to miamelectric.com on 209.236.71.58 (Westhost, US). I recommend that you block outbound traffic to that particular domain.

Something phishy on 92.48.75.214

A couple of phishing sites 92.48.75.214 (Simply Transit, UK):

linkedlne.com - LinkedIn / Webmail Phish

This laughable fake LinkedIn login page is trying to harvest webmail addresses, being sent out via a spam message and leading to a link at [donotclick]www.linkedlne.com/login/user/:

From:     Linkedln Support [Support@supportlinkedln.com]
Date:     18 June 2013 06:53
Subject:     You need to confirm your email address.

LinkedIn

We write to inform you that your LinkedIn account has been blocked due to inactivity.

To ensure that your online services with LinkedIn will no longer be interrupted

Click here to unblock your account.

You will be asked to log into your account to confirm this email address. Be sure to log in with your current primary email address.

We ask you to confirm your email address before sending invitations or requesting contacts at LinkedIn. You can have several email addresses, but one will need to be confirmed at all times to use the system.

If you have more than one email address, you can choose one to be your primary email address. This is the address you will log in with, and the address to which we will deliver all email messages regarding invitations and requests, and other system mail.

Thank you for using LinkedIn!

--The LinkedIn Team
http://www.linkedin.com/

Learn why we included this. © 2013, LinkedIn Corporation. 2029 Stierlin 

Really this is just phishing for webmail addresses and passwords rather than LinkedIn credentials:

suncoaslfcn.org - Suncoast Schools Federal Credit Union phish

Hosted on the same server is an attempted phish for something called the "Suncoast Schools Federal Credit Union" which has an actual website at suncoastfcu.org rather than suncoaslfcn.org. The phish page is at [donotclick]sunnet.suncoaslfcn.org/SignIn/ but the phishers have left a full copy of the phishing kit which is available at [donotclick]sunnet.suncoaslfcn.org (more of which in a moment)

There's also an attempted Co-op bank phish which has been reported at [donotclick]co-operativebank.co.uk.suncoaslfcn.org/login/online-access/login.php.

There are two email addresses than can be phone in the phishing site themselves (for research purposes you can download a copy here, password is "phish"). The file verification_data.php reveals two email addresses, jsrh444@188.com and davenport1001@hotmail.com.

A quick bit of Googling around links jsrh444@188.com to the following phishing domains:
cheapflightsreserv.com
mypennystocksprofile.net
pennystocksprofile.net
sunloancom.net

A similar bit of Googling around links the other email address to the following domains:
aicuaee.com
sutherlandhostings.com
rredbulls.info
theclearfund.net

LinkedIn spam / guessworkcontentprotect.biz

This fake LinkedIn email leads to malware on guessworkcontentprotect.biz:

From:     LinkedIn Invitations [giuseppeah5@mail.paypal.com]
Date:     2 May 2013 16:49
Subject:     LinkedIn inviation notificaltion.
   
LinkedIn
This is a note that on May 2, Lewis Padilla sent you an invitation to join their professional network at LinkedIn.
Accept Lewis Padilla Invitation
   
On May 2, Lewis Padilla wrote:

> To: [redacted]
>
> I'd like to join you to my professional network on LinkedIn.
>
> Lewis Padilla    
   
You are receiving Reminder emails for pending invitations. Unsubscribe.
© 2013 LinkedIn Corporation. 2029 Stierlin Ct, Mountain View, CA 94043, USA. 

The malicious payload is at [donotclick]guessworkcontentprotect.biz/news/pattern-brother.php (report here) hosted on:
82.236.38.147 (PROXAD Free SAS, France)
83.212.110.172 (Greek Research and Technology Network, Greece)
130.239.163.24 (Umea University, Sweden)
203.190.36.201 (Kementerian Pertanian, Indonesia)

Blocklist:
82.236.38.147
83.212.110.172
130.239.163.24
203.190.36.201
app-smart-system.com
contonskovkiys.ru
curilkofskie.ru
egetraktovony.ru
exrexycheck.ru
fenvid.com
frustrationpostcards.biz
gangrenablin.ru
gatareykahera.ru
guessworkcontentprotect.biz
janefgort.net
klosotro9.net
miniscule.pl
mortolkr4.com
peertag.com
priorityclub.pl
smartsecurity-app.com
zonebar.net

LinkedIn spam / jonahgkio.ru

This fake LinkedIn spam leads to malware on jonahgkio.ru:

Date:      Tue, 9 Apr 2013 10:03:31 -0300
From:      "service@paypal.com" [service@paypal.com]
Subject:      Join my network on LinkedIn

LinkedIn
Marcelene Bruno has indicated you are a Friend

I'd like to add you to my professional network on LinkedIn.



- Marcelene Bruno
Accept
    View invitation from Marcelene Bruno


WHY MIGHT CONNECTING WITH Marcelene Bruno BE A GOOD IDEA?

Marcelene Bruno's connections could be useful to you

After accepting Marcelene Bruno's invitation, check Marcelene Bruno's connections to see who else you may know and who you might want an introduction to. Building these connections can create opportunities in the future.

© 2012, LinkedIn Corporation

The link leads to a malicious payload on [donotclick]jonahgkio.ru:8080/forum/links/column.php which doesn't seem to be working at the moment. However, it is multihomed on some familiar looking IPs:
91.191.170.26 (Netdirekt, Turkey)
93.187.200.250 (Netdirekt, Turkey)
208.94.108.238 (Fibrenoire, Canada)

Blocklist:
91.191.170.26
93.187.200.250
208.94.108.238
itriopea.ru
illuminataf.ru
izamalok.ru
imanraiodl.ru
ifinaksiao.ru
jonahgkio.ru
ivanikako.ru
igionkialo.ru
ijsiokolo.ru
ifikangloo.ru
izjianokr.ru
iztakor.ru
ighjaooru.ru
jundaio.ru

LinkedIn spam / applockrapidfire.biz

This fake LinkedIn spam leads to malware on applockrapidfire.biz:

From: David O'Connor - LinkedIn [mailto:kissp@gartenplandesign.de]
Sent: 18 March 2013 15:34
Subject: Join my network on LinkedIn
Importance: High

LinkedIn
REMINDERS
Invitation reminders:
 From David O\'Connor (animator at ea)

PENDING MESSAGES
There are a total of 9 messages awaiting your response. Go to InBox now.
This message was sent to username@domain.com. Don't want to receive email notifications? Login to your LinkedIn account to Unsubscribe.
LinkedIn values your privacy. At no time has LinkedIn made your email address available to any other LinkedIn user without your permission. c 2013, LinkedIn Corporation.

The link in the message goes through a legitimate hacked site to a malware landing page on  [donotclick]applockrapidfire.biz/closest/209tuj2dsljdglsgjwrigslgkjskga.php  (report here) hosted on 78.46.222.237 (Hetzner, Germany). applockrapidfire.biz was registered just today to a presumably fake address:

Bernardine McGowan
1639 Heather Sees Way
MUSKOGEE
74401
United States
US
+1.2717159555
bernardine_mcgowan73@gmail.com

URLquery detects traffic to these additional IPs that you might want to block too:
50.22.196.70 (Softlayer / Maxmind LLC, US)
66.85.130.234 (Secured Servers LLC / Phoenix NAP, US)
194.165.17.3 (ADM Service Ltd, Monaco)

The nameservers are NS1.QUANTUMISPS.COM (5.9.212.43: Hetzner, Germany) and NS2.QUANTUMISPS.COM (66.85.131.123: Secured Servers LLC / Phoenix NAP, US).  quantumisps.com was registered to an anonymous person on 2013-03-15.

Minimum blocklist:
78.46.222.237
quantumisps.com
applockrapidfire.biz

Recommended blocklist:
5.9.212.43
50.22.196.70
66.85.130.234
66.85.131.123
78.46.222.237
194.165.17.3
quantumisps.com
applockrapidfire.biz

LinkedIn spam / teenlocal.net

This fake LinkedIn spam leads to malware on teenlocal.net:

From: messages-noreply@bounce.linkedin.com [mailto:messages-noreply@bounce.linkedin.com] On Behalf Of LinkedIn
Sent: 14 March 2013 16:32
Subject: Frank and Len have endorsed you!

Congratulations! Your connections Frank Garcia and Len Rosenthal have endorsed you for the following skills and expertise:
   
    Program Management
    Strategic Planning

Continue



You are receiving Endorsements emails. Unsubscribe.

This email was intended for Paul Stevens (Chief Financial Officer, Vice President and General Manager, Aerospace/Defense, Pacific Consolidated Industries). Learn why we included this. 2013, LinkedIn Corporation. 2029 Stierlin Ct. Mountain View, CA 94043, USA

The malicious payload is at [donotclick]teenlocal.net/kill/force-vision.php (report here) hosted on:

24.111.157.113 (Midcontinent Media, US)
58.26.233.175 (Telekom Malaysia, Malaysia)
155.239.247.247 (Centurion Telkom, South Africa)

Blocklist:
24.111.157.113
58.26.233.175
155.239.247.247
buyersusaremote.net
cyberage-poker.net
hotels-guru.net
teenlocal.net
bbb-complaint.org
secureaction120.com
secureaction150.com
iberiti.com
notsk.com
bbb-accredited.net
metalcrew.net
roadix.net
gatovskiedelishki.ru

LinkedIn spam / giminalso.ru

This fake LinkedIn spam leads to malware on giminalso.ru:

From: messages-noreply@bounce.linkedin.com [mailto:messages-noreply@bounce.linkedin.com] On Behalf Of LinkedIn Password
Sent: 08 March 2013 10:24
Subject: Aylin is now part of your network. Keep connecting...

     [redacted], Congratulations!
You and Aylin are now connected.

    Aylin Welsh

--
Tajikistan    

2012, LinkedIn Corporation

The malicious payload is at [donotclick]giminalso.ru:8080/forum/links/column.php (report here) hosted on the same IPs as in this other attack today:

41.72.150.100 (Hetzner, South Africa)
89.107.184.167 (WebhostOne, Germany)
212.180.176.4 (Supermedia, Poland)

LinkedIn spam / greatfallsma.com and yoga-thegame.net

This "accidental" LinkedIn spam is a fake and leads to malware on greatfallsma.com:

From: LinkedIn [mailto:papersv@informer.linkedin.com]
Sent: 22 February 2013 15:58
Subject: Reminder about link requests pending

See who connected with you this week on LinkedIn
Now it's easy to connect with people you email
Continue
 
This is an accidental LinkedIn Marketing email to help you get the most out of LinkedIn. Unsubscribe
 
© 2013, LinkedIn Corporation. 2089 Stierlin Ct, Mountain View, CA 99063

Another example:

Date:      Fri, 22 Feb 2013 18:21:25 +0200
From:      "LinkedIn" [noblest00@info.linkedin.com]
Subject:      Reminder about link requests pending

�����

[redacted]
See who requested link with you on LinkedIn

Now it's easy to connect with people you email
Continue
   
This is an casual LinkedIn Marketing email to help you get the most out of LinkedIn. Unsubscribe
� 2013, LinkedIn Corporation. 2073 Stierlin Ct, Mountain View, CA 98043

The malicious payload is at [donotclick]greatfallsma.com/detects/impossible_appearing_timing.php (report here) hosted on:

50.7.251.59 (FDC Servers, Czech Republic)
176.120.38.238 (Langate, Ukraine)

These are the same two servers used in this attack, blocking them would probably be a good idea.

UPDATE: the malicious domain yoga-thegame.net is also on the same servers (report here)

LinkedIn spam / prepadav.com

This fake LinkedIn spam leads to malware on prepadav.com:

From: LinkedIn [mailto:news@linkedin.com]
Sent: 21 January 2013 16:21
Subject: LinkedIn Reminder from your co-worker

LinkedIn
REMINDERS
Invitation reminders:
▫ From CooperWright ( Your employer)

PENDING LETTERS
• There are a total of 2 messages awaiting your action. Acces to your InBox now.
Don't wish to receive email notifications? Adjust your letters settings.
LinkedIn respect your privacy. In no circumstances has LinkedIn made your e-mail acceptable to any other LinkedIn user without your allowance. © 2013, LinkedIn Corporation.

The malicious payload is at [donotclick]prepadav.com/detects/region_applied-depending.php hosted on 222.238.109.66 (Hanaro Telecom, Korea). This IP has been used in several malware attacks recently and it should be blocked if you can.

The following malicious websites are active on this server:
seoseoonwe.com
alphabeticalwin.com
splatwetts.com
bestwesttest.com
masterseoprodnew.com
cocolspottersqwery.com
teamrobotmusic.net
vaishalihotel.net
shininghill.net
terkamerenbos.net
prepadav.com

LinkedIn spam / shininghill.net

This fake LinkedIn spam leads to malware on shininghill.net:

Date:      Fri, 18 Jan 2013 18:16:32 +0200
From:      "LinkedIn" [announce@e.linkedin.com]
Subject:      LinkedIn Information service message

LinkedIn
REMINDERS

Invite notifications:
? From MiaDiaz ( Your renter)


PENDING EVENTS

∙ There are a total of 2 messages awaiting your response. Enter your InBox right now.

Don't want to get email info letters? Change your message settings.

LinkedIn values your privacy. Not once has LinkedIn made your e-mail address available to any another LinkedIn member without your permission. © 2013, LinkedIn Corporation.

The malicious payload is at [donotclick]shininghill.net/detects/solved-surely-considerable.php hosted on 222.238.109.66 (Hanaro Telecom, Korea). This IP address has been used in several recent attacks and should be blocked if you can.

The following domains appear to be active on this IP address, all should be considered to be malicious:
seoseoonwe.com
alphabeticalwin.com
splatwetts.com
bestwesttest.com
masterseoprodnew.com
teamrobotmusic.net
foxpoolfrance.net
linuxreal.net
vaishalihotel.net
tetraboro.net
terkamerenbos.net
shininghill.net

LinkedIn spam / apensiona.ru

This fake LinkedIn spam leads to malware on apensiona.ru:

From: messages-noreply@bounce.linkedin.com on behalf of LinkedIn Connections
Sent: Tue 18/12/2012 14:01
Subject: Join my network on LinkedIn


LinkedIn
Hien Lawson has indicated you are a Friend
I'd like to add you to my professional network on LinkedIn.

- Hien Lawson


Accept
 View invitation from Hien Lawson 

WHY MIGHT CONNECTING WITH Hien Lawson BE A GOOD IDEA?

Hien Lawson's connections could be useful to you

After accepting Hien Lawson's invitation, check Hien Lawson's connections to see who else you may know and who you might want an introduction to. Building these connections can create opportunities in the future.
2012, LinkedIn Corporation 

The malicious payload is at [donotclick]apensiona.ru:8080/forum/links/column.php (the same payload as here) although this time the IPs have changed to:

109.235.71.144 (Serveriai, Lithunia)
176.31.111.198 (OVH, France)
217.112.40.69 (Utransit , UK)

Here's a plain list if you want to block the lot:
109.235.71.144
176.31.111.198
217.112.40.69

Blocking emails from linkedin.com at your perimeter might also be a good idea.

LinkedIn spam / cowonhorse.co

This fake LinkedIn spam leads to malware on cowonhorse.co:

From: LinkedIn.Invitations [mailto:4843D050@pes.sau48.org]
Sent: Fri 19/10/2012 10:29
Subject: Invitation

Hi [redacted], 

User sent you an invitation to connect 6 days ago. How would you like to respond? 

Accept  Ignore Privately

Estelle Garrison 
Interpublic Group (Executive Director Marketing PPS)

You are receiving Invitation emails. Unsubscribe. 
This email was intended for [redacted].
Learn why we included this.
2012, LinkedIn Corporation. 2029 Stierlin Ct. Mountain View, CA 94043, USA 

==========

From: LinkedIn.Invitations [mailto:43DD0F0@cankopy.com]
Sent: Fri 19/10/2012 11:39
Subject: New invitation

Hi [redacted], 

User sent you an invitation to connect 14 days ago. How would you like to respond? 

Accept  Ignore Privately
  
Carol Parks 
Automatic Data Processing (Divisional Finance Director)

You are receiving Invitation emails. Unsubscribe. 
This email was intended for [redacted].
Learn why we included this.
2012, LinkedIn Corporation. 2029 Stierlin Ct. Mountain View, CA 94043, USA 

==========

From: LinkedIn.Invitations [mailto:3A1665D92@leosanches.com]
Sent: Fri 19/10/2012 12:28
Subject: Invitation

Hi [redacted], 

User sent you an invitation to connect 6 days ago. How would you like to respond? 

Accept  Ignore Privately

Rupert Nielsen 
O'Reilly Automotive (Head of Non-Processing Infrastructure)

You are receiving Invitation emails. Unsubscribe. 
This email was intended for [redacted].
Learn why we included this.
2012, LinkedIn Corporation. 2029 Stierlin Ct. Mountain View, CA 94043, USA 

The malicious payload is on [donotclick]cowonhorse.co/links/observe_resources-film.php hosted on 74.91.118.239 (Nuclearfallout Enterprises, US). Nuclearfallout have hosted sites like this several times before. In my opinion, blocking ALL emails that appear to be from LinkedIn would probably benefit your business.

LinkedIn spam / 64.111.24.162

This fake LinkedIn spam leads to malware on 64.111.24.162:

From: LinkedIn.Invitations [mailto:8B44145D0@bhuna.net]
Sent: 17 October 2012 10:06
Subject: New invitation is waiting for your response


Hi [redacted],


User sent you an invitation to connect 6 days ago. How would you like to respond?

       
Accept    Ignore Privately

   
    
Alexis Padilla

C.H. Robinson Worldwide (Sales Director)


You are receiving Invitation emails. Unsubscribe.

This email was intended for [redacted].
Learn why we included this.
2012, LinkedIn Corporation. 2029 Stierlin Ct. Mountain View, CA 94043, USA

The malicious payload is at [donotclick]64.111.24.162/links/assure_numb_engineers.php allocated to Data 102 in the US and then suballocated to:



network:Network-Name:Buzy Bee Hosting /27
network:IP-Network:64.111.24.160/27
network:IP-Network-Block:64.111.24.160 - 64.111.24.191
network:Org-Name:Buzy Bee Hosting
network:Street-Address:1451 North Challenger Dr
network:City:Pueblo West
network:State:CO
network:Postal-Code:81007
network:Country-Code:US


Blocking the IP (and possibly the /27 block) is probably wise.

LinkedIn spam / 74.91.112.86

This fake LinkedIn spam leads to malware on 74.91.112.86:

From: LinkedIn.Invitations [mailto:1F31A2F6B@delraybeachhomesales.com]
Sent: 16 October 2012 13:50
To: [redacted]
Subject: New invitation is waiting for your response

Hi [redacted],


David sent you an invitation to connect 13 days ago. How would you like to respond?

       
Accept    Ignore Privately


Hilton Suarez

Precision Castparts (Distributor Sales Manager EMEA)

You are receiving Invitation emails. Unsubscribe.

This email was intended for [redacted].
Learn why we included this.
2012, LinkedIn Corporation. 2029 Stierlin Ct. Mountain View, CA 94043, USA

The malicious payload is on [donotclick]74.91.112.86/links/assure_numb_engineers.php hosted by Nuclearfallout Enterprises in the US (no surprises there).

LinkedIn spam / inklingads.biz

The bad guys are very busy today with all sorts of spam campaigns, including lots of messages as below pointing to malware on

From: LinkedIn Notification [mailto:hewedngq6@omahahen.org]
Sent: 11 October 2012 15:59
Subject: LinkedIn Reminder
Importance: High

LinkedIn
REMINDERS
Invite events:
From Thaddeus Sosa ( Your servant)

PENDING EVENTS
There are a total of 3 messages awaiting your action. See your InBox immediately.
Don't wish to get email info letters? Adjust your notifications settings.
LinkedIn values your privacy. In no circumstances has LinkedIn made your notifications email acceptable to any third-party LinkedIn member without your permission. 2010, LinkedIn Corporation.

The malicious payload is on [donotclick]inklingads.biz/detects/invite-request_checking.php hosted on 183.81.133.121 (Vodafone, Fiji)

LinkedIn spam / viewsonicone.ru

This fake LinkedIn spam leads to malware on viewsonicone.ru:

From: messages-noreply@bounce.linkedin.com [mailto:messages-noreply@bounce.linkedin.com] On Behalf Of LinkedIn Connections
Sent: 10 October 2012 09:46
Subject: Nayeli is now part of your network. Keep connecting...

 [redacted]. Congratulations!
You and Nayeli are now connected.

    Nayeli Deaton

--
Chad   

2012, LinkedIn Corporation

The link goes through some obfuscated javascript (report here) to lead to [donotclick]viewsonicone.ru:8080/forum/links/column.php hosted on the following IPs:
68.67.42.41 (Fibrenoire Internet, Canada)
178.79.146.49 (Linode, UK)
203.80.16.81 (MYREN, Malaysia)

All these IPs and domains are potentially malicious and should be blocked if you can do it:
68.67.42.41
178.79.146.49
203.80.16.81
rumyniaonline.ru
sonatanamore.ru
onlinebayunator.ru
uzoshkins.ru
limonadiksec.ru
ioponeslal.ru
pionierspokemon.ru
appleonliner.ru
lenindeads.ru
viewsonicone.ru

LinkedIn spam / 69.194.201.21

This fake LinkedIn spam leads to malware on 69.194.201.21:

Date:      Sat, 22 Sep 2012 15:16:47 -0500
From:      "Reminder" [CC8504C0E@updownstudio.com]
Subject:      LinkedIn: New messages awaiting your response

LinkedIn
REMINDERS

Invitation reminders:
From Emilio Byrd (Insurance Manager at Wolseley)

PENDING MESSAGES

There are a total of 88 message(-s) awaiting your response. Go to InBox now.

This message was sent to [redacted]. This is an occasional email to help you get the most out of LinkedIn.

Adjust your message settings.

LinkedIn values your privacy. At no time has LinkedIn made your email address available to any other LinkedIn user without your permission.

2012, LinkedIn Corporation.

The malicious payload is at [donotclick]69.194.201.21/links/deep_recover-result.php (Solar VPS, US) which appears to be a Blackhole 2 exploit kit. Blocking this IP address would be prudent.

LinkedIn spam / 108.178.59.26 and myasuslaptop.com

This fake LinkedIn spam leads to malware on 108.178.59.26 and myasuslaptop.com:

Date:      Tue, 04 Sep 2012 10:43:03 +0100
From:      "noreply" [noreply@linkedin.com]
Subject:      Link LinkedIn Mail

LinkedIn
REMINDERS

Invitation reminders:
• From Charlie Alexander (Mexico Key Account Director at Quanta)


PENDING MESSAGES

• There are a total of 5 messages awaiting your response. Visit your InBox now.

Don't want to receive email notifications? Adjust your message settings.

LinkedIn values your privacy. At no time has LinkedIn made your email address available to any other LinkedIn user without your permission. © 2012, LinkedIn Corporation.

The malicious payload (report here) is at [donotclick]108.178.59.26/bv6rcs3v1ithi.php?w=6de4412e62fd13be (Singlehop, US) in a block 108.178.59.0/26 suballocated to a person in Italy.  A further malicious download is attempted from [donotclick]myasuslaptop.com/updateflashplayer.exe which appears to be a legitimate (but hacked site).

My personal preference with any emails purporting to be from LinkedIn is to block them at the perimeter. As far as most businesses are concerned it is simply a playground for recruiters trying to poach your staff..