Tweet

The LinkedIn professional networking site connects more than 30 million users from across many different industries. The advantages of maintaining a list of trusted business contacts for career planning purposes is not lost on LinkedIn‘s users.

The fostering of business relationships is further enhanced by features such as LinkedIn Answers and access from mobile devices.

Advanced Threats Researcher Ivan Macalintal found some bogus LinkedIn profiles which contain links to malware, using the  names and images of  famous personalities such as:

• Beyoncé Knowles
• Victoria Beckham
• Christina Ricci
• Kirsten Dunst
• Salma Hayek
• Kate Hudson

… and several others.

Below is a screenshot of the previously mentioned fake Beyoncé LinkedIn profile, with malicious links highlighted:

Bogus Profile of Beyoncé Knowles

Malicious links contained in these bogus profiles lead browsers through a series of redirections, but ultimately to malware.

Note that there are several routes this infection path may take. We are conducting a deeper investigation of these attacks in order best provide detection and protection against these threats. We will update this blog entry with additional information when it is available.

Update as of January 6 2008, 10:00 PM PST

The malicious file downloaded from the links contained in the mentioned fake profiles is detected by Trend Micro as TROJ_DLOAD.ML. Upon execution, TROJ_DLOAD.ML accesses certain URLs to download files detected as the following:

• TROJ_DLOAD.PN
• TROJ_DLOAD.PI
• TROJ_DLOAD.PG

In turn, these files attempt to download a fake antivirus application detected by Trend Micro as TROJ_FAKEAV.GDS.

Cybercriminals are said to be using pre-registered accounts on social networks as launchpads for this type of attack. Such pre-registered accounts are reportedly being sold in the black market today.

Update as of January 8 2008, 7:00 AM PST

Reports suggest that the previously mentioned pre-registered accounts are sold in black markets by the hundreds. The accounts are then used to send spam inside affected social networks.

Update as of January 15 2008

Analysis by Trend Micro researchers reveal that TROJ_FAKEAV.GDS has the following routines:

Upon execution, it displays the following GUI:

Figure 1. Fake antivirus software GUI

It also displays an icon on the system bar and a fake message alert:

Figure 2. Alarming warnings designed to rattle the user

When the user clicks the abovementioned message alert, the following fake Microsoft Security Center GUI is displayed:

Figure 3.Fake Microsoft Security Center GUI

Furthermore, clicking any link on the abovementioned Microsoft Security Center GUI will display the following prompt for registration:

Figure 4.Users are asked to register to be able to rid their system of viruses allegedly affecting it