Spam Flies Fast and Furious in the Wake of the LinkedIn Breach

The deluge of spam dropped on members of LinkedIn last week perhaps could have been expected after a data breach at the site exposed 6.5 million of their passwords. Those messages, though, are more likely to harm members unaffected by the breach than those victimized by it.

That’s because members who had their passwords compromised also had them wiped by LinkedIn. To reset those passwords, they have to go through a two-part process. They have to respond to a message from LinkedIn informing them that their password has been compromised. Then they receive a message from LinkedIn with a reset link.

If a spammer sends a bogus password reset request to an affected member before they receive a message from LinkedIn and they’re fooled into giving the spammer a username and password, the password won’t work because it has been suspended by LinkedIn.

That’s not the case with an unaffected account, though. A spammer who teases a password from one of those members will have a password that can be used to compromise the account.

Some of the spam campaigns attempt to emulate the LinkedIn reset process, explained Eset Senior Researcher Cameron Camp. “They say, ‘Your password has been compromised. Click on this link here,’ and when you do you’re sent to places where you have to enter your user name and password to LinkedIn, which allows them to gather user names and passwords from people who are not affected by the breach,” he told TechNewsWorld.

Those kinds of phishing attacks aren’t new at LinkedIn, but the high-profile breach adds an element of credibility to them.

“LinkedIn has actually been a target for quite a while, and many users have noticed an increase in spear-phishing type of attacks,” NetIQ Senior Product Manager Matt Mosley told TechNewsWorld.

“These attacks are very targeted, to the point that they often appear indistinguishable from actual LinkedIn messages suggesting that a friend or colleague wants approval to link to you,” he said.

Windows Isn’t Flame Retardant

Microsoft revealed last week that a flaw in the certificate authority process in Windows could be used by hackers to spoof code made by the company.

Worse yet, it was discovered that the massive malware program called “Flame” that’s been attacking computers in Iran and its neighbors was using the bogus certificates to infect healthy machines.

A component of Flame plants a watchdog on the network it’s connected to. When a healthy Windows computer tries to perform an update, Flame picks off the communication and routes it to an infected machine. The infected machine sends the poisoned update to the healthy machine. The healthy machine checks the bogus certificate for the update, thinks it came from Microsoft, and allows it to run.

Microsoft swiftly addressed the problem and disabled the certificates and the process that issued them, but Windows users may not be out of the woods yet, according to Bit9 Senior Researcher Dan Brown. He explained that Microsoft doesn’t know who created the rogue certificates.

“The possibility remains that there are still rogue certificates out there that aren’t known,” he told TechNewsWorld.

In addition, Flame itself, while apparently designed to attack Middle Eastern states, is a highly modular piece of malware. The modules can be mixed and matched by the cyber underground.

“It’s almost inevitable, now that this software is widely available, that it’s going to be repackaged and reused for other attacks by other actors,” Brown maintained. “While organizations may not feel they’re threatened because they’re not in the Middle East, but this functionality is now in the malware community, and it can be used for other advanced persistent threats.”

Research Roundup

Data breaches cost companies money and good will, according to research released last week by NetDiligence and Experian.

In a study of actual payouts from more than 70 data breaches over five years, 2005-2010, NetDiligence, a provider of cyber risk management services, found the average cost of a breach during that period to be US$2.4 million. Most of those costs could be attributed to legal services, the report stated.

It also noted that the most typically exposed data was personal identification information, followed by personal health information. It added that the most frequently breached sectors in the study were health care and financial services.

In a survey conducted by Experian Data Breach Resolution and the Ponemon Institute, researchers found that 72 percent of some 700 respondents who had received data breach notices were dissatisfied with them. [*Correction – June 13, 2012] More than two-thirds of those surveyed said notices didn’t contain enough detail (67 percent), while more than half of them (61 percent) had problems understanding the notices.

One group that doesn’t appear to be too worried about data breaches is small businesspeople. According to poll results released by The Hartford insurance company, 85 percent of small-business owners believe it’s unlikely they’ll encounter a data breach.

Most of the business owners surveyed believe they are safe, when in fact smaller businesses are increasingly being targeted, Assistant Vice President of Small Commercial Underwriting at The Hartford Lynn LaGram said.

Breach Diary

  • June 3: Hacker group SwaggSec claimed it breached servers of China Telcom and Warner Bros. and posted stolen documents from the two organizations in the Web. China Telcom did not acknowledge a breaking, but Warner Bros. confirmed a breach, although it said no critical data was accessed.
  • June 5: The owner of the Penn Station East Coast Subs restaurant chain disclosed that 59 of its 238 restaurants may have had their customers’ debit and credit card exposed in a data breach. It advised customers to watch their cards closely for fraudulent charges.
  • June 6: LinkedIn announced it is investigating reports that hackers breached its servers and accessed 6.5 million user names and passwords and posted the data on a Russian hacker forum.
  • June 7: French security firm Vupen denied that its systems were breached and 130 zero-day vulnerabilities stolen by hackers.
  • June 7: Online dating site eHarmony confirmed that a data breach exposed “a small fraction” of its members’ passwords to hackers. Reportedly, 1.5 million password hashes from eHarmony were posted to a Russian password-cracking website.
  • June 7: Music site Last.FM announced it is investigating reports of a data breach and advises all its members to change their passwords.


  • June 17-22: 24th Annual FIRST Conference. Malta Hilton. Sponsored by Forum of Incident Response and Security Teams. Late fee registration (April 1-June 1): US$2,500.
  • June 26: Cyber Security: The Perfect Storm. 2-4:15 p.m. Capital Visitor Center, Washington D.C. Sponsored by MeriTalk Cyber Security Exchange and Sens. Tom Carper (D-Del.) and Scott Brown (R-Mass.).
  • June 27: Future State of IT Security: A Survey of IT Security Executives. 2 p.m. ET. Webcast. Sponsored by RSA. Free.
  • June 29: Third Suits and Spooks Anti-conference. Bel Air Bay Club, Palisades, Calif. Sponsored by Taia Global and Pacific Council on International Policy.
  • August 20-23: Gartner Catalyst Conference. San Diego, Calif. Early bird price (before June 23): US$1,995. Standard price: $2,295.
  • October 9-11: Crypto Commons. Hilton London Metropole, UK Early bird price (by August 10): pounds 800, plus VAT. Discount registration (by September 12): pounds 900. Standard registration: pounds 1,025.

*ECT News Network editor’s note – June 13, 2012: In the original version of this story, we referred to Experian as a data breach company. In fact, Experian is a credit bureau.

John Mello is a freelance technology writer and former special correspondent for Government Security News.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by John P. Mello Jr.
More in Cybersecurity

Technewsworld Channels