One of the frustrating aspects of working in cybersecurity is the recurrence of well-known attacks. No matter how many times seemingly obvious attacks like phishing are brought to the public consciousness, these attacks still find new victims. Whether it is lack of knowledge on the part of the public, or that these attacks are growing in complexity, phishing attacks remain a staple of the hacker’s arsenal. The latest phishing attack to be discovered in the wild involves hacked LinkedIn accounts. As reported by Malwarebytes Labs in a blog post, the campaign is sending private messages and external account emails with fake links in hopes of obtaining sensitive data. The attack is somewhat innovative in the eyes of researchers, as the Malwarebytes report states:
What makes this campaign interesting is the abuse of longstanding and trusted accounts that were hacked, including Premium membership accounts that have the ability to contact other LinkedIn users (even if they aren’t a direct contact) via the InMail feature.
This hacked LinkedIn accounts attack itself seeks to gain email login data from users by tricking them into clicking on a malicious link in a message that looks like this:
The link takes the individual to a page that asks for “verification” by giving your email login credentials (the email services targeted so far are Gmail, Yahoo, and AOL). The page will then ask for a phone number or possibly a secondary email address. This data is logged by the page, which is hosted by a malicious website, a fact unbeknownst to the victim. The page looks something like the images found in the .gif below, which then redirects to a bogus financial document:
A lot of what makes this attack difficult to mitigate is the privileged accounts under the “Premium” moniker are more easily trusted. These accounts are expensive and typically only used by heavy hitters with a lot of connections, thus it makes it more likely that individuals who receive messages from these hacked LinkedIn accounts will open the links. Additionally, the links themselves are shortened Owl.ly links. While shortened links absolutely can be legitimate, as a general rule I don’t open them unless I can somehow preview the full URL.
This leads into prevention methods, and, honestly, common sense can go a long way. Typically, if you get a link, even if it is from a source you trust, it is best to contact the source (hey, you know each other, right?) and ensure they sent it. Shoot them a text and see what they say. It may make you seem a little paranoid, but who cares when it’s your security at risk? Also be careful with shortened links that don’t display the full URL. They might be legitimate, but they could also be employed to obfuscate malicious content.
Photo credit: Wikimedia