Abnormal Attack Stories: LinkedIn Credential Phishing

June 22, 2020

Abnormal Security

In this attack, attackers impersonate an email from LinkedIn in order to steal login credentials.

Setup: This attack impersonates an automated message from LinkedIn in order to steal users’ login credentials.
Email attack: The email’s sender name impersonates LinkedIn, though the sender email address domain has no relationship with LinkedIn. The email itself looks like an automated notification regarding a possible business partnership. The links provided in the email body all lead to the same phishing credential website.
Payload: The payload link is hosted on an authentic website selling sports products. A portion of their website has been compromised and used to collect the credentials for users’ LinkedIn accounts. The landing page looks similar to the login page of the LinkedIn platform.
Result: If the user falls victim to this attack, their LinkedIn account will be compromised. The attacker could then send further attacks to the user’s connections to compromise those accounts as well, and the user could lose a lot of connections in the process.

Concealed URL: The URL used to steal user credentials was hidden via text. The attacker purposely masked the hyperlink using text in order to hide the ingenuous link, hoping that the user would be convinced solely by seeing the convincing landing page.
Convincing Email & Landing Page: The email appears to be automated notification from LinkedIn, with the landing page of the attack appearing similar to the actual login page for the platform.
Social Engineering: The use of LinkedIn is a popular social engineering tactic attackers use to approach targets in business email compromise (BEC) campaigns. Last week, ESET uncovered a campaign targeting defense companies with LinkedIn messages from fake HR representatives as a way to engage victims and ultimately plant malware to gain a foothold inside these companies.

Related content