We have received few emails that looked like to be sent from LinkedIn:
But after checking email header details it was clearly a spam:
Return-Path: trtro@www.trt.ro Received: from vps136.whmpanels.com (unknown [89.42.219.181]) Received: from [95.6.42.101] (helo=www.trt.ro) by vps136.whmpanels.com Date: Fri, 30 Mar 2012 21:37:47 +0100 From: "Support" trtro@www.trt.ro Subject: Express LinkedIn Mail |
The A HREF links redirect to 3 different malicious URLs:
hxxp:// groupehydrogaz .com/20sZhJqa/index.html hxxp:// dealerpos .com/uFj7A93z/index.html hxxp:// hobbyconcept666.yellis .net/20sZhJqa/index.html |
URLVoid reports:
http://www.urlvoid.com/scan/groupehydrogaz.com/
http://www.urlvoid.com/scan/dealerpos.com/
http://www.urlvoid.com/scan/hobbyconcept666.yellis.net/
The page content dumped from one of these malicious URLs looks like:
That content looks like the spread-style of Blackhole Exploit Kit.
Other malicious URLs are:
hxxp:// ftp.planitur .com.br/dyEmcL4N/js.js hxxp:// quiztown .org/U2iBLpvu/js.js hxxp:// wap .tl/8M6kMfpV/js.js hxxp:// laspeziacaritas .it/1M4VoeVe/js.js |
URLVoid reports:
http://www.urlvoid.com/scan/ftp.planitur.com.br/
http://www.urlvoid.com/scan/quiztown.org/
http://www.urlvoid.com/scan/wap.tl/
http://www.urlvoid.com/scan/laspeziacaritas.it/
Pay always attention when opening known and unknown emails:
1) Always analyze email headers to see who sent the email
2) Scan links with our service http://www.urlvoid.com/
3) Do not download unknown files
4) Avoid to open emails that have subject related to pharmaceutical products
5) Avoid to open emails that have subject related to sexual content
6) When emails are from your Bank, always call your Bank before open the email