Done. I sent it in text form since Google rejected the malware attachment. I examined the "ZIP" file and it's actually a "rar" containing an HTML page with obfuscated javascript in it.
Tim On Mon, 2012-06-11 at 17:41 -0400, Andrew Leslie wrote: > Please forward me the message. > > On Jun 11, 2012 5:28 PM, "Tim Holloway" <[email protected]> wrote: > I did get an email concerning the need to change my password > when I > responded to a request to connect to someone I know fairly > well this > morning. At the time I had no reason to believe that that > would be a > problem. > > I have been worried that there's been sort of a "contest" > going on to > type in passwords and see if they match the harvested > database, because > anyone tapped into the right place would be able to use those > clear-text > passwords and match results to build up a very useful > database. > > As far as the apparent malware delivery is concerned, here's > the > backtrail (if anyone wants, I'll forward the entire message > for them to > analyze): > > Received: from [190.40.186.225] ([190.40.186.225]) by > mail2.mousetech.com > (8.13.8/8.13.8) with ESMTP id q5BKWN1b024788 for > <[email protected]>; > Mon, > 11 Jun 2012 16:32:26 -0400 > Received: from mailb-bf.linkedin.com ([216.52.242.151]) by > mx5.biz.mail.yahoo.com; Mon, 11 Jun 2012 11:32:22 -0500 > Sender: [email protected] > Date: Mon, 11 Jun 2012 11:32:22 -0500 > From: LinkedIn <[email protected]> > To: timh <[email protected]> > Message-ID: > <[email protected]> > Subject: Re: Wire Transfer > > > On Mon, 2012-06-11 at 17:18 -0400, Andrew Leslie wrote: > > Unfortunately the passwords that were harvested in the > initial attack > > were only md5 encrypted, no salt had been used which is just > as good > > as using plain text nowadays. But so far I have yet to > receive an > > email from them, for now. Hopefully their mail server has > not been > > hijacked. > > > > On Jun 11, 2012 5:14 PM, "Tim Holloway" <[email protected]> > wrote: > > I recently received an email with attached ZIP file > concerning > > a "wire > > transfer" which unless I seriously misread the > headers comes > > from > > mailb-bf.linkedin.com ([216.52.242.151]) as well as > several > > LinkedIn > > tokens. > > > > I hope by now that everyone is aware that LinkedIn's > security > > system was > > seriously compromised recently and that as a result, > people's > > encrypted > > passwords had been posted to a public Internet site. > > > > Evidently the breech was more serious than has been > admitted, > > since it > > looks like a LinkedIn mailerver has been hijacked. > Which means > > that if > > you have changed your LinkedIn password, the new > password may > > have been > > harvested. > > > > Or in other words, there is now absolutely nothing > that can be > > trusted > > coming from (or going to) LinkedIn. > > > > I hope they got their Instant Delivery and Everyday > Low Prices > > on their > > Information Technology dollars, because about the > last > > disaster of this > > magnitude I can recall was when the magazine > "Business 2.0" > > was sunk due > > to failure to invest in a decent set of backup > systems. > > > > Again, until someone credible says otherwise, use > LinkedIn at > > your own > > risk. > > > > Tim > > > > > > > --------------------------------------------------------------------- > > Archive http://marc.info/?l=jaxlug-list&r=1&w=2 > > RSS Feed > > > http://www.mail-archive.com/[email protected]/maillist.xml > > Unsubscribe [email protected] > > > > --------------------------------------------------------------------- Archive http://marc.info/?l=jaxlug-list&r=1&w=2 RSS Feed http://www.mail-archive.com/[email protected]/maillist.xml Unsubscribe [email protected]
