Warning: Fake LinkedIn spam can steal your bank passwords

Bogus LinkedIn emails can infect your computer with ZeuS, a password-stealing Trojan. I know, because it just happened to me.

I feel like a complete idiot. I just got taken by a LinkedIn spam that may have just stolen my banking password.

This is not the first time I've been an idiot or clicked on something I shouldn't. But this one could be really bad for me.

Today, spammers using fake Linked-In invitations attacked the Net in a massive way. How massive? According to Cisco Security, at one point today nearly 1 in 4 spam messages was a Fake LinkedIn invite.

Linked-In spam is nothing new -- I wrote about it just last month-- but this attack was particularly nasty, because it can embed password-stealing malware into your browser without you realizing it.

[ See also: Yes, Mr. Zuckerberg, we do care about privacy ]

My story: I saw several LinkedIn invites in my Gmail spam folder, and stupidly opened one of them inside Google Chrome. I even saw that the links inside the email were not to LinkedIn but to some oddly named third-party site. But curious about what would happen (and stupidly confident that my Kaspersky anti-malware software would protect me), I clicked it. My browser started to launch a new site, then quickly redirected to my home page.

Weird, I thought. I tried it again. Same thing happened. I figured that whatever site it was driving me toward had already been taken down by one of the anti-malware orgs like StopBadware.com, and thought nothing more about it.

A couple of hours later I logged into my banking site to check on my account. No big deal.

An hour after that I received the following email from Cisco Security:

Starting this morning, Monday 9/26, at 10am GMT,  cyber criminals sent spam email messages targeting the LinkedIn social media community.

Victims are emailed an alert link with a fictitious social media contact request. These messages accounted for as much as 24% of all spam sent within a 15-minute interval.  Clicking the link, victims are taken to a web page that says “PLEASE WAITING.... 4 SECONDS” and redirects them to Google.  During those four seconds, the victim’s PC is infected with the ZeuS data theft malware by a drive-by download.  ZeuS embeds itself in the victim’s web browser and captures personal information, such as online banking credentials, and is widely used by criminals to pilfer commercial bank accounts.

Organizations should encourage individuals to delete such requests, especially if they do not know the name of the contact. This is the second spam attack this month, preceded by the “Here You Have” email worm a few weeks ago. Cisco expects to see more spam messages containing malware sent to organizations to collect personal information.


OK, I've done stupid things before, with and without computers. I have had many malware infestations, including one variant of the Cool Web Search spyware app that required three months of trying different anti-spyware tools before I could nuke it (Webroot's Spy Sweeper did the job then). But as far as I know I've never compromised my bank account information -- until now.

I've been scanning my system using Kaspersky, and so far it hasn't detected anything out of the ordinary (which doesn't mean ZeuS isn't still lurking -- no anti-malware software is 100 percent reliable). I've already logged on from Firefox and changed my banking info -- but the folks at Cisco Security tell me that ZeuS might still be able to compromise my account.

Here's what Cisco Security Researcher Henry Stern had to tell me:

....if the software on your PC is up to date, particularly Adobe and Sun (Java) products, you may not necessarily have been infected by visiting the site.  If you use Mozilla Firefox with NoScript, you almost certainly haven’t unless you explicitly allowed the offending script to run...

If you have been infected, anything that you have typed into any of your web browsers has probably been compromised.  Also, everything in your browser password stores have been compromised.  The criminals behind this ARE looking for bank logins, so if you have logged in or changed your password, they have it.  If you are a retail banking customer, you are less likely to actually be compromised but that does not matter.

There are instructions online for removing the ZeuS trojan, but I do not recommend any of them.  If you have been simultaneously infected with anything else, you will miss it.  What you need to do is back up all of your data and restore your PC to a known-good state, such as restoring it to the factory image.  You will also need to change all of your passwords.  If you use the same password on multiple sites, you will need to change those too, even if you haven’t logged in after being infected.  So many sites use your email address as your login which makes it easy for an attacker who knows your favourite password to get into all of your accounts.

Bottom line here: Don't do what I did. Delete any LinkedIn spam that looks even the slightest bit suspicious. Needless to say I won't be sleeping very well tonight. May you rest a bit easier.

When ITworld TY4NS blogger Dan Tynan isn't doing incredibly stupid things to his computer, he's tending his eSarcasm humor site (seriously). Follow (but don't spam) him on Twitter: @tynan_on_tech.

This story, "Warning: Fake LinkedIn spam can steal your bank passwords" was originally published by ITworld.

Copyright © 2010 IDG Communications, Inc.

Shop Tech Products at Amazon