A different kind of contact: malware attack instead of an online business card

04/05/2013
G DATA Blog

Most users think that spam emails are mainly used for phishing attacks. That is a fairly reasonable assumption, however, the number of malware attacks initiated using emails is also on the rise. In a recent example of this, attackers used fake LinkedIn contact requests to lure their victims to websites primed with exploit kits.

Screenshot of fake LinkedIn email with three linksThe emails tell the recipients that they have received a contact request in the self-proclaimed "world's largest professional network on the Internet." It is often suggested that the contact comes from a renowned company and that there are other messages waiting for the user. In addition, the email is marked as high priority to make it as appealing as possible.

The fake email features a simple but professional design and there is hardly anything indicating that it is a fraud if you compare it to an original. However, what is notable is that the spam email is a mixture of a LinkedIn contact request email (subject line) and a reminder email (text).

Bad intentions

Clicking on one of the three links in the email opens a connection to a forwarding website. The victim is taken to a website that has been primed for attacks using an exploit kit. Depending on the version of the exploit kit, this tool contains a number of different attacks on vulnerabilities (exploits) and is used as a means of attack.
If a user visits one of these primed websites, the exploit kit is used to check the configuration of the user's computer for applications that can be attacked (browser, software, OS, ...). If the configuration that is read contains one or more vulnerabilities, a suitable exploit is sent to the client, which uses the discovered security flaw to secretly download additional malware code to the vulnerable computer (drive-by download), for example.

Attacks with exploit kits are profitable and therefore popular

Exploit kits are among the most wide-spread attack tools in use and are popular with attackers because they are relatively easy to use. They also enable less experienced cyber criminals to use manipulated websites for attacks and deliver all types of malware to visitors to the site. Both actual exploit kits and complete attack packages with all servers, settings etc. can be acquired as services on the black market.

Vulnerabilities in operating systems or software are among the main gateways for all types of malware code and very popular with cyber criminals. The Internet is the greatest gateway. All it takes for an infection is to visit a primed website!
It is absolutely irrelevant whether the website offers adult content, is a news website or represents the local sports club. Hence, a website's theme offers no indication as to whether it is currently dangerous or harmless to users. Of course, popular websites with many visitors are more attractive to attackers, but anyone who surfs the net is a potential victim, irrespective of the sites they visit!
In June 2012, the experts at Google reported that they discover about 9,500 new malicious websites every day and the G Data Security Labs determined that the number of new exploit type signature variants registered by G Data increased by almost 58% in the second half of 2012.

For more statistics on the spread of dangerous websites and developments in the area of malware for PCs as well as mobile devices, see the G Data Malware Report H2/2012.

How can you protect yourself against drive-by attacks and exploit kits?

PC security depends on the combination of security software used and operating system updates as well as software updates. Multi-level protection is a must!
Vulnerabilities in Oracle's Java, Adobe Flash and Adobe Reader are often publicised in the media and therefore brought to the users' attention, but many think "I don't have to update, nothing is going to happen to me" or "there is nothing worthwhile on my computer." However, this assumption is wrong because every infected computer is of value to the attackers.
However, merely keeping the three aforementioned programs up-to-date is not enough! To eliminate known vulnerabilities, all programs and the operating system must always be kept up-to-date with patches and updates.

To sum it up, this means:

  • An up-to-date comprehensive security solution with a malware scanner, firewall, web and real-time protection is an absolute must. A spam filter that protects you from unwanted spam emails also makes sense.
    Tip for company networks: starting in the second quarter of 2013, G Data business solutions offer G Data PatchManagement as an additional module.
  • The installed operating system, browser and its components as well as the security solution installed should always be kept up-to-date. Program updates should be installed immediately to close existing security holes.
  • In your web browser, we recommend deactivating the execution of plug-ins, scripts and also most advertising content by default and activating them only as needed. You can make these settings in the browser or use appropriate browser enhancements.