The Latest in IT Security

Online pharmacy spam disguised as LinkedIn message

12
Jan
2012

We have posted many times about online pharmacy spam disguised as phishing emails for various entities like Amazon, Paypal, eBay, AOL, Facebook and Twitter.

Since the end of December 2011, we have started to see large amounts of emails being sent in the name of the well known professional social network LinkedIn.

They appear as a message coming from a member of the network and it is created in exactly the same way as the real messages from LinkedIn are.

All three links in the message point to Canadian pharmacy websites.

But that’s pretty much everything what these emails have with the real emails from LinkedIn in common.

This is how a header from a real LinkedIn notification email looks like:

DomainKey-Signature: q=dns; a=rsa-sha1; c=nofws; s=prod; d=linkedin.com; h=DKIM-Signature:Sender:Date:From:Reply-To:To:Message-ID:Subject:MIME-Version:Content-Type:X-LinkedIn-Template:X-LinkedIn-Class:X-LinkedIn-fbl;b=QP/1m31bDqBEAvwPHttWHrLhmFYaBtpLNS8JcPASx7ubcvbp+jv2rqp+Wf9HYQvOpPXvpk5mNytybeLzguZErqNivgStR3ezv99tVaFDVjZkH1bRt8Waw4BKvT1b5ed9 DKIM-Signature: v=1; a=rsa-sha1; d=linkedin.com; s=proddkim; c=relaxed/relaxed; q=dns/txt; [email protected]; t=1317980262; h=From:Subject:Date:To:MIME-Version:Content-Type:X-LinkedIn-Class:X-LinkedIn-fbl: X-LinkedIn-Template; bh=LD81uT/pNemTvLrQCUsgBb1fhow=; b=k1JM3Hx6gHNvHtG4ZQYXJkPRpkAac7A9G2iSLNJUigNAwekZYEBQQt+0fLKZIhVz9Oeymgr3elhicVeoSs1OredmLtWBrmEWdx3L1qneClaYH6pj96WlZAyyDtx5+t80;
Sender: [email protected]
From: <NAME> via LinkedIn <[email protected]>
Reply-To: <NAME> <EMAIL>
To: <NAME-EMAIL>
Message-ID: <[email protected]>
Subject: <SUBJECT>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary=”—-=_Part_699296_2123905300.1317980262311″
X-LinkedIn-Template: email_type_MEBC_MEBC
X-LinkedIn-Class: MBR-TO-MBR
X-LinkedIn-fbl: s-vBiNpuSnUIfLFPIaqeKOKFjCAO92hyF0CcigFCjLgL9LtErAk1WtGI

We see there a DKIM signature, we also see clear headers indicating how the email is written and why, we see also a signature of the template used to write the email.Also to note are the fields which I marked as bold.

In comparison, the headers of a fake email don’t have a DKIM signature and don’t have the X-LinkedIn headers.

Indeed, an interesting approach, but pretty far away from reality. Of course, the biggest mistake the fake emails contain and which makes them very easy to block is the fact that they fake the URL. This is why they resemble so much to phishing emails:

<a href=”http://<DOMAIN>/swoops.html”>http://www.linkedin.com/e/-12c-e81e8/ed43d/ins/146956745/Catriona/Richardson/EML/?hs=unread&tok=a77d936b16</a>

As usual, we strongly advise to simply erase these emails in case your server or your antispam product did let them to pass through.

Sorin Mustaca

Data Security Expert

Leave a reply


Categories

MONDAY, FEBRUARY 06, 2023
WHITE PAPERS

Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...

Featured

Archives

Latest Comments