I don’t think anyone will be too surprised if I mention receiving yet another fake email. This time I’ve received two emails claiming that I have new LinkedIn messages. Given the email address that it was sent to, I’m wondering if this is a result of an information leak that LinkedIn apparently experienced back in June 2012.
I received two email messages last week, with pretty much the same content, with a subject header of ‘LinkedIn new messages’. Both of the emails were supposedly LinkedIn ‘Invitation reminders’, and on first glance, I didn’t think that there was much wrong with them.
Thinking that I had a LinkedIn message, I checked my LinkedIn Inbox. Luckily though, I did this by typing https://www.linkedin.com/ into my web browser and logging in, and not by clicking on the link that the email sender had so conveniently provided for me.
The LinkedIn website said that there weren’t any new messages. That’s when I looked at the emails a bit more closely, and it was here that I realised that there wasn’t much right with them.
None of the ‘Received:’ headers mentioned a host in the linkedin.com domain, nor any other domain related to LinkedIn. The ‘Return-Path:’ header address was from a completely different domain to the ‘From:’ header address, and a completely different top-level domain for that matter. The ‘Message-Id:’ header had yet a third domain in it, the first part of which looked like a string of 25 random lower case letters. The same random string appeared in the first ‘Received:’ header, but with a completely different domain ending.
The part that stuck out like a sort thumb though, was that the hyperlinks corresponding to the sender’s name, ‘Go to InBox’, and ‘Login to your LinkedIn account to Unsubscribe.’, were nothing to do with LinkedIn and were all three different URLs with two things in common. They were all PHP scripts, and they all ended in ‘?c005’.
None of this is overly surprising, however the main reason that I am mentioning this is because of the particular recipient’s (that is, my) email address. Remember the ‘Millions of LinkedIn passwords reportedly leaked‘ incident back in June? When that happened, I not only changed my LinkedIn password but also changed the email address that I was using for LinkedIn. Both the old and new LinkedIn email addresses contain a string of four random digits, hence they were unlikely to have been guessed. These two fake emails were sent to my old LinkedIn email address, which is making me wonder if email addresses were also leaked.
Another interesting twist to the story, is that these two separate emails, from separate sources, seem to be linked. The first one claimed ‘There are a total of 5 messages awaiting your response’, and the second cleverly claimed ‘There are a total of 6 messages awaiting your response’. As it turns out, I didn’t have that many messages awaiting my response but I’m curious as to why the sender picked 5 and 6. Did I have four messages awaiting my response at the time of the leak, and that fact was also leaked? Who knows.
Malware Musings 
I only ever read messages on the LinkedIn web site. I am suspicious of anything that comes via email claiming to be from any social media sites. There are genuine LinkedIn ‘update’ emails and they are easy to recognise. Anything else – beware!!!
You can easily do a quick analysis of the URL, by using http://www.urlquery.net/. Can get some interesting results with regards to the Blackhole Exploit Kit.
Yeah thanks ando13, I found ‘urlquery.net’ while searching for ‘PHP’ and ‘?c005’ . The URLs in my email didn’t ring any alarm bells on there, but there were other URLs on urlquery with the same PHP script names and ‘?c005’ that were flagged as hosting the Blackhole Explot Kit.
The URLs in my email were returning errors when I tried wgeting them, which then got me wondering if they were compromised servers which had since been fixed, or if they were checking the ‘User-Agent:’ header.
I was tempted to get wget to specify a different user agent header, but ‘urlquery.net’ was already doing that and was saying that there wasn’t anything special about the page it got back, so I stopped at that point.