Online pharmacy spam disguised as LinkedIn message

We have posted many times about online pharmacy spam disguised as phishing emails for various entities like Amazon, Paypal, eBay, AOL, Facebook and Twitter.

Since the end of December 2011, we have started to see large amounts of emails being sent in the name of the well known professional social network LinkedIn.

They appear as a message coming from a member of the network and it is created in exactly the same way as the real messages from LinkedIn are.

All three links in the message point to Canadian pharmacy websites.

But that’s pretty much everything what these emails have with the real emails from LinkedIn in common.

This is how a header from a real LinkedIn notification email looks like:

DomainKey-Signature: q=dns; a=rsa-sha1; c=nofws; s=prod; d=linkedin.com; h=DKIM-Signature:Sender:Date:From:Reply-To:To:Message-ID:Subject:MIME-Version:Content-Type:X-LinkedIn-Template:X-LinkedIn-Class:X-LinkedIn-fbl;b=QP/1m31bDqBEAvwPHttWHrLhmFYaBtpLNS8JcPASx7ubcvbp+jv2rqp+Wf9HYQvOpPXvpk5mNytybeLzguZErqNivgStR3ezv99tVaFDVjZkH1bRt8Waw4BKvT1b5ed9 DKIM-Signature: v=1; a=rsa-sha1; d=linkedin.com; s=proddkim; c=relaxed/relaxed; q=dns/txt; i=@linkedin.com; t=1317980262; h=From:Subject:Date:To:MIME-Version:Content-Type:X-LinkedIn-Class:X-LinkedIn-fbl: X-LinkedIn-Template; bh=LD81uT/pNemTvLrQCUsgBb1fhow=; b=k1JM3Hx6gHNvHtG4ZQYXJkPRpkAac7A9G2iSLNJUigNAwekZYEBQQt+0fLKZIhVz9Oeymgr3elhicVeoSs1OredmLtWBrmEWdx3L1qneClaYH6pj96WlZAyyDtx5+t80;
Sender: messages-noreply@bounce.linkedin.com
From: <NAME> via LinkedIn <member@linkedin.com>
Reply-To: <NAME> <EMAIL> 
To: <NAME-EMAIL>
Message-ID: <442520127.699297.1317980262313.JavaMail.app@ela4-bed83.prod>
Subject: <SUBJECT>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary=”—-=_Part_699296_2123905300.1317980262311″
X-LinkedIn-Template: email_type_MEBC_MEBC
X-LinkedIn-Class: MBR-TO-MBR
X-LinkedIn-fbl: s-vBiNpuSnUIfLFPIaqeKOKFjCAO92hyF0CcigFCjLgL9LtErAk1WtGI

We see there a DKIM signature, we also see clear headers indicating how the email is written and why, we see also a signature of the template used to write the email.Also to note are the fields which I marked as bold.

In comparison, the headers of a fake email don’t have a DKIM signature and don’t have the X-LinkedIn headers.

Indeed, an interesting approach, but pretty far away from reality. Of course, the biggest mistake the fake emails contain and which makes them very easy to block is the fact that they fake the URL. This is why they resemble so much to phishing emails:

<a href=”http://<DOMAIN>/swoops.html”>http://www.linkedin.com/e/-12c-e81e8/ed43d/ins/146956745/Catriona/Richardson/EML/?hs=unread&tok=a77d936b16</a>

As usual, we strongly advise to simply erase these emails in case your server or your antispam product did let them to pass through.

Sorin Mustaca

Data Security Expert