Phishing is the most common cyberattack, and we are used to being told how important it is to be careful with links and attachments in email. Email is by far the most common arena for phishers to try their baits, but it is not the only one. Lately, we have seen an uptick in malicious links sent to people on LinkedIn using InMail, a way of sending messages to people you are not connected with on the social network if you are a paying customer with a premium account.

Today, a friend of mine running his own consulting business within quality and risk management, Reflect Consulting, sent me an example of such a malicious message he had received and asked if I could check out what this was.

Phishing message on LinkedIn. Note the URL: this is LinkedIn’s replacement of a URL it finds suspicious.

The phishing InMail has several indicators of social engineering in its format:

  • URGENT: trying to get the recipient in a hurried state of mind: click, don’t think.
  • Proposal: looks like a potential business opportunity? They are trying to create something you want to click on.
  • Praise: removing inhibitions by adding praise (we see you are competent)
  • Weird grammar/language. The name of the sender is redacted because the account used to send the InMail may have been compromised too, but the name of the sender indicates he would be a native Danish speaker, as is the recipient of this InMail, so it would also have been more natural if the message had been sent in Danish.

The URL redirects through LinkedIn’s servers to [hxxp://review-linkedin-document.com/proposal.pdf]. This link will download a malicious PDF file, but if you click on the link in the InMail, LinkedIn tries to stop you from downloading the file.

Obviously, you should not attempt to download and open this file on your computer. The domain used, review-linkedin-document.com is a typical phishing domain; it uses names that could make it pass as a legitimate LinkedIn domain for a document for a user in a hurry. If it had not been for LinkedIn’s internal security systems marking it as suspicious and changing the link in the InMail, it would have been much more likely to lead its intended victim to click that link.

How did LinkedIn know this link was malicious? I don’t know but it is likely that LinkedIn actively searches for phishing domains and uses threat intelligence to detect new malicious domains. This domain was registered on April 5, 2020, and the InMail was sent on April 6. It this had been a real LinkedIn service, it would not be a completely new domain. It was not yet blocked in Google’s safe browsing as malicious, and a test of the URL in VirusTotal showed that only a single antivirus engine detected it as malicious.

The file it downloaded was a PDF file. We performed a sandbox analysis on Joe’s Sandbox of this payload. You can read the report here: https://www.joesandbox.com/analysis/220407/0/html.

Screenshot of malicious PDF file used in LinkedIn attack

The sandbox registers a number of unusual behaviors when opening the PDF file but most importantly is the phishing attempt: it opens a PDF document with a button. When this button is clicked you are taken to a fake Microsoft login page, trying to trick you to give out your username and password for Office365. Many companies use Office365 for document storage, but also use Microsoft logins for general access to cloud applications through the directory service Azure AD.

Login page from phishing link. If you sign in here, you are giving your username and password to hackers. Checked with urlscan.io.

Defending against social engineering

This is phishing, the same as we are used to dealing with in email. Criminals are turning to other services where security tools are less common and users have not been trained to be careful in the same way. Here are some ways you can stay safe.

First of all, turn on two-factor authentication on all accounts. We can all fall for phishing, especially if it is a well-crafted attack. Two-factor authenticaiton will ensure that the hackers still cannot take over your account.

Be careful with links from unknown sources, whether on LinkedIn, e-mail or in other channels. If we are in a hurry or distracted, it is easier than one should think to click on something we should have or could have detected as suspicious. Make it a habit to: Stop – Think – Click.

Inform colleagues of LInkedIn phishing attempts to make them aware of the risk. Many people are less aware of phishing risks on social media such as LinkedIn, Facebook or WhatsApp.

Always run up-to-date software on smartphones and computers, avoid working with an administrator account, use endpoint protection software, in particular on Windows.

Stop the phishing now!

These practices are a great start but if you want to stay ahead of the criminals, download our practical checklist of phishing defenses today to help your organization stay safe from account takeovers, malware and online scams.

One thought on “Phishing on LinkedIn

  1. Close call on a professional network. You never know what could have happened. Thanks for the quick support👍👍👌👌👌
    Dirk J. Boock, Reflect-Consulting

Leave a Reply