Abnormal Attack Stories: LinkedIn Credential Phishing

June 22, 2020

Abnormal Security

Abnormal Security

In this attack, attackers impersonate an email from LinkedIn in order to steal login credentials.

Quick Summary

  • Platform: Office 365
  • # Mailboxes: 15,000 to 50,000
  • Email Gateway: Proofpoint
  • Victims: Employees
  • Payload: Malicious Link
  • Technique: Impersonation

What was the Attack?

  • Setup: This attack impersonates an automated message from LinkedIn in order to steal users’ login credentials.
  • Email attack: The email’s sender name impersonates LinkedIn, though the sender email address domain has no relationship with LinkedIn. The email itself looks like an automated notification regarding a possible business partnership. The links provided in the email body all lead to the same phishing credential website.
  • Payload: The payload link is hosted on an authentic website selling sports products. A portion of their website has been compromised and used to collect the credentials for users’ LinkedIn accounts. The landing page looks similar to the login page of the LinkedIn platform.
  • Result: If the user falls victim to this attack, their LinkedIn account will be compromised. The attacker could then send further attacks to the user’s connections to compromise those accounts as well, and the user could lose a lot of connections in the process.

Why is this attack effective?

  • Concealed URL: The URL used to steal user credentials was hidden via text. The attacker purposely masked the hyperlink using text in order to hide the ingenuous link, hoping that the user would be convinced solely by seeing the convincing landing page. 
  • Convincing Email & Landing Page: The email appears to be automated notification from LinkedIn, with the landing page of the attack appearing similar to the actual login page for the platform. 
  • Social Engineering: The use of LinkedIn is a popular social engineering tactic attackers use to approach targets in business email compromise (BEC) campaigns. Last week, ESET uncovered a campaign targeting defense companies with LinkedIn messages from fake HR representatives as a way to engage victims and ultimately plant malware to gain a foothold inside these companies.

Targeted Email Attack

(click to enlarge)

Payload Link

(click to enlarge)

Techniques to Detect

(click to enlarge)

Subscribe to receive twice-monthly updates of the latest attacks we've detected in the wild:

Related content

Like our article? Share our content