Sophos Cloud Optix
At first glance it may look like an official email from LinkedIn, the professional business networking site, asking you to confirm your email address.
But it’s not.
Because the emails don’t really come from LinkedIn, and clicking on the link does not take you to the LinkedIn website.
Instead your browser is redirected to a website announcing that it is the “Toronto Drug Store”, where a square-jawed trustworthy doctor-type is accompanied by a cut-price Anne Hathaway lookalike.
The online store claims it will be able to help you with erectile disfunction, and even offers a Thanksgiving sale in the form of a Cialis+Viagra “powerpack”. (A steal at $74.95).
Of course, the link embedded inside the email could just have easily taken your browser to a website hosting malicious code, or a phishing page designed to steal your LinkedIn credentials.
The gang behind this spam campaign are banking on just a tiny proportion of the email recipients being tempted to buy something from the Toronto Drug Store website. If that occurs, despite the recipients initially believing they had received an email from LinkedIn, it will be worth the effort of the spammers because of the commission they can earn.
Yes, it’s hard to believe that such a business model really works – but the cost of sending spam to millions of people is so small, and requires such little effort, that it still goes on.
My advice to you is to invest in a decent security solution that protects you not only against spam and malware that arrives in your email, but also checks the websites you are visiting in case they are dodgy too.
And remember to never buy goods sold via spam. If you do, you’re just encouraging the spam problem to continue.
If you receive an email out of the blue from a brand that you trust, think twice before blindly clicking on the link – it may not be taking you to the real website at all.
One possibility is that the spammers are targeting people who have given LinkedIn more than one email address, although why someone would ever want to receive that much of LinkedIn's own spam isn't clear. I barely use LinkedIn and I still get an unending stream of spam from them.
Perhaps the more likely case is that the scammers are targeting people who don't even know whether they've given LinkedIn more than one email address and are befuddled enough to let stupid spam messages talk them into believing it.
In either case, the presumption that such misguided people exist is apparently what underlies this particular spam scam. The common term for this ("social engineering") is, I suppose, as good as any other, but from the perspective of one who views the quest for secure Internet usage as a constant battle between ne’er-do-wells and decent folks (though, in may cases, hapless ones), this sort of thing seems more appropriately labeled as psychological warfare.
I have never had anything to do with Linkedin but I get there or four emails from them EVERY day. Tankfully they go straight to my Spam box as I am savvy enough not to open them
Exactly Graham,
I don't have an account with Linkedin or similar because I know what the future looks like with 'social' networks.
Why don't they target and sue these online stores ?
Or for that matter the manufacturers ?
They are financing the spammers for it and so they might find out who's behind it.
It's not only spamming and reducing bandwidth**
but also their sales of malicious, harmful and even deadly drugs.
** Some months ago a spammer was outputting some 6000 emails out of forums of a major chip manufacturer within a few hours.
It linked towards this same drugstore.(still have a copy)
There are > 5,000,000 subscribers in those forums so you can imagine what it did with the speed of the Internet. ( >5 million * 6000 emails)
I have a LinkedIn account but refuse to give my email address to them the usual way, because I have to also give my email address password to them. Why they require this is beyond me. What happens if LinkedIn's account database gets hacked? Millions of users get in trouble as a result. So what I do is post my email address (an alias, at that) in a place on my home account page that does not require my password.