The LinkedIn professional networking site connects more than 30 million users from across many different industries. The advantages of maintaining a list of trusted business contacts for career planning purposes is not lost on LinkedIn’s users.

The fostering of business relationships is further enhanced by features such as LinkedIn Answers and access from mobile devices.

Advanced Threats Researcher Ivan Macalintal found some bogus LinkedIn profiles which contain links to malware, using the  names and images of  famous personalities such as:

• Beyoncé Knowles
• Victoria Beckham
• Christina Ricci
• Kirsten Dunst
• Salma Hayek
• Kate Hudson

… and several others.

Below is a screenshot of the previously mentioned fake Beyoncé LinkedIn profile, with malicious links highlighted:

Bogus Profile of Beyoncé Knowles

Malicious links contained in these bogus profiles lead browsers through a series of redirections, but ultimately to malware.

Note that there are several routes this infection path may take. We are conducting a deeper investigation of these attacks in order best provide detection and protection against these threats. We will update this blog entry with additional information when it is available.

Twitter users are facing yet another attack, this time a phishing threat. A spamming operation previously flooded users of the social networking and micro-blogging site with follower notifications which led to spammy and bogus profiles.

Cyber criminals are now exploiting Twitter’s Direct Messages function, instructing users that pictures of them were seen on another website, and the link is provided in the same message. A variation of this baiting technique informs users that the same website offers a free popular mobile phone.

Figure 1. Sample Twitter update feed with an unsolicited update

The link provided in the messages have the domain , which appears to be somehow related to Twitter itself. Interestingly, clicking on the link redirects users to a bogus Facebook login page, one that looks convincingly like the original.

Figure 2. Embedded spam link leads to this page (above)

Any login credentials probided are logged and stolen. To hide the theft, phishers designed the page to give the appearance of processing the submitted information. Once submitted, it then displays an error message, and then loads the legitimate Facebook site, as if nothing happened.

Facebook credentials were also the object of a phishing attack back in September. Other Facebook-related Web threats include:

• Facebook Picture Joke Connives with Email Harvester
• ‘Bad Blog’ Can Give Facebook Users More Than a Bad Name
• Facebook Mystery Friend? No, Malware.

The Trend Micro Smart Protection Network already blocks the phishing site, protecting users from information theft. Users are strongly cautioned against logging into sites where they are redirected to/from spammed links. Checking browser address bars for the proper URLs helps in verify the proper site, too. URL inconsistencies should immediately be a warning of fraud.

Earlier today, in an unrelated but equally troublesome attack, a hacker seems to have found their way to the Twitter accounts of some thirty-plus personalities (including Fox News, President-Elect Barack Obama, CNN’s Rick Sanchez,  and Britney Spears). This security breach forced Twitter to lock down the accounts and investigate the issue. Considering cybercriminals’ propensity to ‘go where the money is,’ micro-blogging has indeed hit mainstream.

Once inside and active, PRO Antispyware 2009 will flood the user with popups and fake system notifications, supposedly to inform him of an infection or multiple infections present on the system. It will also hijack the browser and attempt to reassure it’s claims by producing a falsified system scan report.

PRO Antispyware 2009 is a scam and should be treated as such: do NOT download or buy it and block it’s homepage using your HOSTS file.

Looking at the IP origins of sample spam messages, it appears that these have been sent out by spam bots using dynamic IPs from different dialup and broadband ISPs.

Figure 1. Sample spammed message.

Clicking on the link would actually direct users to a malicious webpage. In this page, a message prompts users to update their Adobe player to be able to view the reunion video, thus tricking them into executing a malicious file.

Trend Micro detects the file as TROJ_AGENT.ADB.

Figure 2. Malicious website.

The Trojan connects to a remote URL to download TSPY_AGENT.AHCN. This spyware gathers information, MS IE FTP Passwords, and WinInetCacheCredentials, which are Protected Storage items. It uses HTTP post to send the information it has gathered to certain URLs.

This information-stealing routine risks the exposure of victim’s sensitive information, which may then be used by cybercriminals for malicious purposes. TSPY_AGENT.AHCN also has rootkit capabilities that enable it to hide its files and processes from a user.

The Trend Micro Smart Protection Network already blocks these spammed messages and detects the Trojan and the spyware, keeping users PCs safe from infection. Non-Trend Micro users are always cautioned against trusting unsolicited email messages. Clicking links and downloading files from unknown locations almost always lead to malware.

i’m just going to point out that, while some people think MD5 was broken in 2004, the fact of the matter is it’s use in new systems was deprecated back in 1995, and existing systems should have been moving away from it with all possible haste…

apparently there are ways to make this specific attack impossible without even changing the hash algorithm used (essentially salting the message) and that’s certainly a good idea - but still there’s no good reason for anything to be using MD5 at this stage of the game… there’s been enough time for any legacy system that used it to have been reworked or replaced, and while we should probably start moving away from SHA1 as well (at least to SHA256 until the new SHA3 standard is selected), we should all have moved away from MD5 by now and if you haven’t then shame on you…