Stolen LinkedIn data used in malware campaign hitting European users

European LinkedIn users are being targeted with highly personalized malicious emails. It is more than likely that the attackers are misusing the compromised LinkedIn user data that has been recently offered for sale.

SANS ISC warned about the campaign on Tuesday, after the German federal CERT (CERT-BUND) issued an alert. SANS ISC then received further examples from users, in different languages.

Dutch company Fox-IT has also confirmed the campaign. The emails address the recipient by full name, job title and company name, and apparently carry an invoice in the attachment. Here’s an example (in Dutch):

“The subject of the email contain the company name, with a semi-random invoice related subject. The email contains a Word document with a macro. The name of the document is also based on personal information of the receiver,” Fox-IT security researcher Maarten van Dantzig shared.

The content of the Word document looks scrambled – an obvious attempt to push the recipient into enabling Office macros. The macro in the document retrieves a malicious binary from a website – the Zeus Panda banking Trojan.

“With the LinkedIn leak, data has become available that wasn’t reachable by simple screen scrapers (or API users) in the past,” SANS ISC CTO Johannes Ullrich noted.

Needless to say, LinkedIn users would do well to be extra careful from now on about opening unsolicited emails.