Network News

X My Profile
View More Activity

Spear Phishing Scam Targets LinkedIn Users

About 10,000 users of, the social networking site for professionals, recently were targeted by a tailor-made scam that urged recipients to open a malicious file masquerading as a list of business contacts.


Most e-mail-based malware attacks and phishing campaigns designed to trick people into handing over personal and financial data generally are blasted out indiscriminately. But so-called "spear phishing" attacks - such as the bogus LinkedIn campaign -- address recipients by name in the subject line and body of the message to appear more legitimate.

The messages in this campaign were of course spoofed to look like they were sent from, with the subject line "Re: business contacts." The message read:

[recipient's name]

We managed to export the list of business contacts you have asked for.

The name, address, phone# , e-mail address and website are included. The list is attached to this message. After you you check it , could you please let me know if it is complete so we can close the support ticket opened on this matter.

Thank you for using LinkedIn

David Burrows
Technical Support Department

From: [recipient's name]
Subject: business contacts
Date: Friday, September 19 , 2008, 11:38 AM

I would like to know if it is possible to export my business contact list from LinkedIn and save it on my hard drive.

I have tried to do that but it seems that the website stops responding after I press export. Can you export it and send it to me ASAP? It's urgent.

Thank you
[recipient's name]

The "list" attached to the message was malicious software that attempts to steal user names, passwords and other sensitive data from the victim's PC. A security industry source who asked to remain anonymous forwarded Security Fix the scam e-mail used in this attack. The source said the some 10,000 people who received the message all were LinkedIn users.

Spear phishing attacks are not new. We have seen very similar assaults that spoof the Better Business Bureau and the Federal Trade Commission. They're worth pointing out, though, because they usually have a much higher "success rate" than regular phishing and malware attacks.

I have often wondered how long it was going to take crooks to start picking on LinkedIn. The user base is a target-rich environment that is chock full of C-level executives. What's more, once the scammers have hooked a user, they can then exploit the trusted relationships that make up that person's network and mine those contacts for future attacks.

As I have previously grumbled about online greeting cards, services such as LinkedIn condition people to click on links in e-mail they were not expecting. While this attack was successful only against people who opened the attachment, scammers could just have easily substituted a malicious link for the usual "Join My Network on LinkedIn" hyperlink included in all new contact request invitations.

If you are unsure whether a message that appears to be from Linked is legit, you can always sign in to your LinkedIn account and check your inbox and confirm that the message is waiting there as well.

LinkedIn spokesperson Krista Canfield said that the messages were not sent through LinkedIn's own network and that the company received inquiries from LinkedIn users about these e-mails and responded to each inquiry with instructions.

LinkedIn says users should only connect to people who they know and trust or people who they have actually met and worked with before. The site includes a list of other security and privacy settings and tips for users on the LinkedIn customer service page.

By Brian Krebs  |  October 8, 2008; 4:31 PM ET
Categories:  Fraud , From the Bunker , Latest Warnings , Safety Tips  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Son of Tenn. Lawmaker Indicted in Palin E-Mail Hack
Next: Spam Volumes Plummet After Atrivo Shutdown


Brian, a method I have heard of aswell (may have read it here, if so please bear with me) was people creating linkedin/myspace/facebook/bebo accounts with the names of other people, and then using these to "be friends/join network" of the real friends of the person whose name they've used. And thus using the trust to send malicious attachments/emails/links/etc.

Would you recommend creating barebone social networking accounts to prevent this? In the past year I've become much more aware of my "online footprint" if you like to call it that, and don't like having information about me floating around the internet that doesn't need to be there.

Posted by: Stern | October 8, 2008 5:29 PM | Report abuse

I've blocked inbound mail from LinkedIn and Bebo for some time now, if the message appears to be "from" LinkedIn then it simply gets blackholed. Perhaps mail administrators might like to use this threat to block similar social networking sites from the work environment.

Posted by: C | October 9, 2008 4:04 AM | Report abuse

@C - Wow, that's a pretty harsh stance for a corporate mail system. While I'm no fan of the plethora of social networking sites, LinkedIn (and others) do provide a useful service for many users. Implementing a wholesale block of all messages from an entire site would surely result in backlash from one's user community.

Spam is a waste of time and resources as well as a vector for exploitation. The balance of usability and security is difficult to achieve and always requires a level of compromise. Best to invest in a layered security approach of white-/black-lists, AV and spy-/malware solutions.

Posted by: TooMuchEmail | October 9, 2008 8:26 AM | Report abuse

Two steps forward, one step backward.

Posted by: Anonymous | October 9, 2008 9:56 AM | Report abuse

Brian, I have a friend that asked me about this article because she received one of these emails and opened it, but nothing happened. She is on a Mac not, not Windows. Should she be concerned?

Posted by: Shieldzee | October 9, 2008 10:13 AM | Report abuse

no, the virus is windows only. rock on macs.

Posted by: w | October 9, 2008 11:31 AM | Report abuse

.... and for C level excutives to just automatically click on links and open attachments is pretty sad. people who must be concious about viral infections of their computers and stealing of sensative data need to be more astute than this.

basical rules
1 - never open attachments. the only times you should open it is if the information is coming across a secluded intranet that doesn't allow outside connections.

2 - never open attachments. NEVER NEVER NEVER! except as laid out in #1.

3 - when you get hyperlinks in an email, move the cursor over it and see where it goes. if it seems overly long or what not.. DO NOT CLICK ON IT. check out the owner of the site Via WhoIs. and see if it is along the correct lines.

4 - never click on hyperlinks.

5 - never open attachments or click on hyperlinks.

6 - if you get an e-mail from support, customersupport, customeraid, or any e-mail regarding assistance or an answer to a problem. check your sent mail to see if you actauly sent something.

be willing to question and delete e-mails you don't 110% trust.

failure to do so can cost you more than just some time scanning your computer...

Posted by: anonymous | October 9, 2008 11:37 AM | Report abuse

Any chance of getting an actual screenshot?

Posted by: Chris | October 9, 2008 11:51 AM | Report abuse

Stern's comment about "someone using linkedin/myspace/facebook/bebo accounts with the names of other people, and then using these to "be friends/join network" of the real friends of the person whose name they've used" reminds me that this past week I have had the same attack. Someone has used to hit me with the names of several people who wanted to be "friends". All the requests are in the name of lawyers who belong to the same blog group in the D.C. area.

Posted by: dfnsatty | October 9, 2008 4:37 PM | Report abuse


I've had Bebo and LinkedIn blocked for three years now. In all that time, the only complaints that I have had is when the filter got turned off and the messages started coming in again.

Yeah, I'm a pretty harsh kind of guy. But it seems to work!

Posted by: C | October 9, 2008 6:58 PM | Report abuse

anonymous: Great list, thanks for posting it - it's an important reminder.

Posted by: ~sg | October 10, 2008 10:10 PM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company