In this attack, attackers impersonate an email from LinkedIn in order to steal login credentials.
Platform: Office 365
Mailboxes: 15,000 to 50,000
Email Gateway Bypassed: Proofpoint
Payload: Malicious Link
What was the Attack?
Setup: This attack impersonates an automated message from LinkedIn in order to steal users’ login credentials.
Email attack: The email’s sender name impersonates LinkedIn, though the sender email address domain has no relationship with LinkedIn. The email itself looks like an automated notification regarding a possible business partnership. The links provided in the email body all lead to the same phishing credential website.
Payload: The payload link is hosted on an authentic website selling sports products. A portion of their website has been compromised and used to collect the credentials for users’ LinkedIn accounts. The landing page looks similar to the login page of the LinkedIn platform.
Result: If the user falls victim to this attack, their LinkedIn account will be compromised. The attacker could then send further attacks to the user’s connections to compromise those accounts as well, and the user could lose a lot of connections in the process.
Why is this attack effective?
Concealed URL: The URL used to steal user credentials was hidden via text. The attacker purposely masked the hyperlink using text in order to hide the ingenuous link, hoping that the user would be convinced solely by seeing the convincing landing page.
Convincing Email & Landing Page: The email appears to be automated notification from LinkedIn, with the landing page of the attack appearing similar to the actual login page for the platform.
Social Engineering: The use of LinkedIn is a popular social engineering tactic attackers use to approach targets in business email compromise (BEC) campaigns. Last week, ESET uncovered a campaign targeting defense companies with LinkedIn messages from fake HR representatives as a way to engage victims and ultimately plant malware to gain a foothold inside these companies.