Hackers are Using Stolen LinkedIn Data to Spread Banking Malware via Phishing Emails


When large amounts of account credentials are dumped online, hacking into user accounts is not the only concern that emerges. Following the massive LinkedIn dataset that hacker sold in the dark web sharing account details of over 117 million users, there has been an increase in the cases of identity theft and phishing attacks.

Stolen LinkedIn data used in phishing emails in the Netherlands

The first thing we do after a major website is breached and its data leaked, is to change our passwords. But, what about our email addresses, usernames and IP addresses, along with other personal information that may be associated with our accounts, depending on the service that we are using. Apart from taking over accounts, there is more business in the malicious campaigns that are designed to abuse this data to spread malware on a large scale.

Following the LinkedIn leak, cybercriminals are using the data associated with public LinkedIn profiles to target victims. The German federal CERT (CERT-BUND) warned on Twitter that phishing emails written in Dutch, containing fake invoices as Word documents are being sent to the receivers, carrying their names and business roles. "The names and business positions in these emails were associated with the LinkedIn leak, being consistent with public LinkedIn profiles," SecurityWeek reported, quoting CERT.

Data previously unreachable, has now become available

These phishing emails address the recipient by their full name, job title and company name, making them look more convincing. "With the LinkedIn leak, data has become available that wasn't reachable by simple screen scrapers (or API users) in the past," Johannes Ullrich noted in a post on ICS SANS.

Yesterday, the German federal CERT (CERT-BUND) warned of phishing e-mails that are more plausible by using data that appears to originate from the recently leaked LinkedIn data set. The e-mail address the recipient by full name and job title. Typically, the attachments claim to contain an invoice.

Not only are these emails using specific recipient information, but the attached Word document is also based on personal information, making it hard to take them as malware. Researchers have said that attackers have packed these attachments with malicious macros in an attempt to trick users into enabling them. These macros then pave way for the Zeus Panda banking trojan.

phishing for banking trojan

Another security firm Fox IT also observed malicious emails being delivered to users in the Netherlands. Phishing emails started to appear "in large quantities on June 7, with the first name, last name, role, and company name of the recipient being taken from the user’s LinkedIn page."

The firm has advised the recipients who have opened the Word attachments to consider scanning their computers with anti-virus programs.