Ten thousand users of LinkedIn, a social networking site for professionals, were recently targeted in a “spear phishing” email scam trying to lure them into downloading a malicious software attachment.
In a blog post Wednesday, Brian Krebs of the Washington Post, who first reported the story, said recipients of the email were addressed by name, aiding in the authenticity of the email.
What sets spear phishing attacks apart from traditional malware attacks is that the sender includes information about the intended target in hopes of lending even more legitimacy to the email, David Marcus, director of security research and communications for McAfee Avert Labs, told SCMagazineUS.com Thursday.
The message was sent from the domain “support[at]linkedin[dot]com” with a subject line of “Re: business contact.”
The email read: “We managed to export the list of business contacts you have asked for.” The message then directed the recipient to open an attachment that was supposedly a list of business contacts that the user requested. In reality, it loaded malicious software to steal data such as usernames and passwords from the victim’s computer.
According to Marcus, the success rate of spear phishing attacks is significantly higher than traditional malicious attacks. Most people have received some sort of spam or phish message reading, “Dear banking customer” and deleted it. But not many people have gotten an email specifically addressed to them, he said.
“The likelihood that you’re going to think its real is certainly going to go up,” Marcus said.
To pull off an attack like this, fraudsters must already have obtained a certain amount of information about their targets, Marcus said.
Generally, an attacker would have acquired a database of information with names, email addresses and other identifying information either through a previous hack or having bought the information from cybercrime markets, he said. The attacker would use that information to craft a legitimate looking email directed to their target.
“It’s certainly troubling that the person who instigated the attack had pieces of information on 10,000 people,” Marcus said.
Attackers are targeting the users of social networking sites such as LinkedIn because members are used to receiving emails from the site.
Marcus recommended that if users receive the phishing scam, they should monitor their bank and credit statements because it means that someone already has some information about them.
Krista Canfield, spokeswoman for LinkedIn, told SCMagazineUS.com Thursday that the emails were not sent by LinkedIn.
“LinkedIn never advocates that its users be ‘open networkers,'” Canfield said in an email. “In fact, it can be downright dangerous. We always advocate that our users keep their network tightly knit. Users should only connect to people that they know and trust, or people that they have actually met and worked with before.”