KrebsOnSecurity reports that a “major new malware spam campaign mimicking invites sent via business networking site LinkedIn.com leverages user trust and a kitchen sink of browser exploits in a bid to install the password-stealing ZeuS Trojan,” a well-known Trojan horse used in online bank thefts.
Krebs continues: “The spam campaign began Monday morning, according to security experts at networking giant Cisco Systems, and for a while the fake LinkedIn invitations accounted for as much as 24 percent of all spam. Recipients who click links in the message are taken to a Web page that reads, “Please Waiting, 4 seconds,” and then sent on to Google.com. … On the way to Google, however, the victim’s browser is silently passed through a site equipped with what appears to be the SEO Exploit Pack, a commercial crimeware kit that tries to exploit more than a dozen browser vulnerabilities in an attempt to install ZeuS.”
This spam campaign is another illustration of how cybercriminals use social engineering to get users to take action (in this case clicking a link in an email) that bypasses normal defenses. As a general rule, it’s a good idea to refuse to click on email links unless the sender is known to you. And even when you know the sender, you still must develop a new kind of “common sense” that recognizes the dangers associated with the Internet.