More Fallout from the LinkedIn Breach in new Targeted Attacks on Banking

Pierluigi Paganini June 11, 2016

CERT-Bund released a warning that corporate executives may be being targeted with malicious emails using data from the LinkedIn data breach.

The cascading effects of the 2012 LinkedIn breach are still being felt throughout the business world.  On Monday, CERT-Bund, Germany’s Computer Emergency Response Team for federal agencies, released a warning that corporate executives may be being targeted with malicious emails using information likely gained by hackers as a result of the 2012 breach.

CERT-Bund released a screenshot via its twitter feed, of an email containing a fake invoice targeting a business executive at an undisclosed organization.

An examination of the increased in spear-phishing attempts is consistent with credentials leaked in the 2012 LinkedIn breach, according to CERT-Bund.  Johannes Ullrich, of the SANS Internet Storm Center, confirmed reports of users receiving emails that match the same pattern reported by CERT-Bund.

LinkedIn Spear phishing campaign

The increased malicious activity comes on the heels of a recent discovery of a Russian hacker going by “Peace” selling 117 million email and password combinations, a staggering number more than the 6.5 million originally reported, for five bitcoins, or about US$2,300.  Clearly, nothing peaceful is coming from this latest disclosure.

According to Netherland’s based Fox-IT, hackers behind these spear-phishing attempts are able to craft very personalized emails using the target’s first name, last name, role, and company name to deliver a malicious Word document.

When an unsuspecting victim opens the attached Word document, the document appears to be scrambled and instructs the victim to launch a Macro to unscramble the document.  Unfortunately, the Macro reached out to a likely infected website and quietly downloads the Zeus Panda banking Trojan on the victim’s machine.

Panda Banker has many similarities to the now infamous Zeus banking Trojan. The source code was linked several years ago and has resulted in the development of several banking Trojans that have plagued the financial sector over the past year.  Panda Banker uses fast flux DNS to protect its infrastructure from a coordinated takedown from law enforcement, such as happened to the DRIDEX malware in 2015.

Panda Banker has another capability in common with Zeus and that its use of automatic transfer systems (ATSs).  Like the Zeus and SpyEye malwares, Panda Banker leverages ATSs in conjunction with Webinject files as an additional tool to steal a victim’s personal banking information.  Webinject files are JavaScript and HTML code in a text file that allows a hacker to inject specific code into a victim’s browser.  This allows the hacker to tailor their attacks through the use of pop-ups to get a victim to reveal their credentials for a specific website.

The underground hacking forums are littered with developers that leverage ATS for Webinjects.  According to TrendMicro’s report in 2012, ATS creators were actively selling generic ATSs targeting European banks that could be modified for a fee.   This, along with a “who’s who” in the business world in the form of easily acquired LinkedIn credentials, has created a unique and most likely profitable opportunity for hackers.

It is likely that attacks resulting from the LinkedIn breach are going to continue to plague many executives across the globe, particularly in regions where the hackers are comfortable working in such as Europe and North America; however, countries with emerging markets with immature security practices are likely to targets as well, particularly Brazil where the 2016 Summer Olympics will likely draw many corporate sponsors to a single location.  Kaspersky Labs has reported that South America suffered from more than 400 million cyber related incidents in 2015 alone.

So where does that leave LinkedIn?  Hard to say. The company is still urging that users enable its two-factor authentication (TFA) but compliance with that edict may be hard to get user buy-in particularly, when users dislike friction caused by security.  For LinkedIn, it’s a hard choice. Do you mandate TFA for all users and lose market share, or do security practitioners continue to warn the C-Suite of “caveat emptor,” that what may be a good way to stay connected with your peers, LinkedIn also serves as a one-stop-shop for hackers eyeing on who to make you their latest victim.

Written by: Rick GamacheRick Gamache

Rick Gamache is a freelance writer with 25 years’ experience in the cyber security field. His past work includes the Managing Director of Wapack Labs, CIO of the Red Sky Alliance, and lead FISMA auditor for the US Navy’s destroyer program.  Rick has written several high-level cyber and general risk reports with an emphasis on the Nordic countries, India, Russia, and Ukraine and has traveled extensively, speaking on strategic cyber threat intelligence matters as they relate global supply chains.

LinkedIn –

Twitter –

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – LinkedIn, cybercrime)

you might also like

leave a comment