Tuesday, August 7, 2012

LinkedIn Invitation Phishing - BlackHole in Action (2)

Last time we discussed about the LinkedIn phishing attack, here - http://secniche.blogspot.com/2012/06/linkedin-phishing-attack-exploit.html. Within last 2-3 days, there has been significant increase in LinkedIn invitation emails which are malicious in nature. The attackers are exploiting the brand names as discussed earlier in our post on At&T Phishing attack here: http://secniche.blogspot.com/2012/08/at-phishing-attack-blackhole-back-in.html.

The Linkedin phishing attack is again based on the same pattern and some of the details are discussed in this post. The phishing email layout is presented below:

Visiting the link resulted in following message.

The execution process is the same as discussed earlier in the phishing attacks. The deobfuscated script is shown below:

The HTML content of the phishing email is here: http://pastebin.com/tbyxaEXs.

The complete script is here: http://pastebin.com/kvnvMrma

The script patterns are the same except the the URL of the malicious domain varies. Just be proactive and be paranoid in interacting with these types of emails.