Oh the irony: A new approach to LinkedIn scamming has been spotted making the rounds, looking to steal confidential information from unsuspecting users by pretending to worry about their cyber-safety.
According to Heimdal Security, mails with the subject line, “LinkedIn is requesting files from you” land in people’s mailboxes. It has a plausible message:
“Thank you for being our valued customer. Your account has been selected by our verification office as a precautionary measure to defend you. Upload a viewable, scanned copy of the payment method account holder’s government-issued photo identification, such as a driver’s license or passport.
Upon receipt and verification, we will notate your account that the necessary documentation to substantiate your account has been received. We thank you in advance for your cooperation and apologize for any inconvenience this may cause.
This link will expire in 24 hours, so be sure to use it right away.”
There are several indicators that this is a phishing attempt, starting with the request to send information over email instead of logging in to a secure site.
“You may be familiar with account verification procedures that ask for personal ID to confirm your identity, but they would never request you to send documents via email,” said Andra Zaharia, Heimdal researcher, in a blog. “Some platforms like Twitter or PayPal do have such verification procedures in place, but everything takes place on their secure website, not via email.”
Also, aside from the ID, the email also asks for a payment receipt, so premium LinkedIn users could fall into the trick of sending their payment information. Also, the sender’s address is postmaster [@] fnotify.com—which is no way connected to LinkedIn—a big red flag.
“fnotify.com/ is an empty WordPress website that belongs to a Finnish citizen, which was most likely compromised to be used in this phishing campaign,” Zaharia said.
The attackers also request that documents be uploaded to a Dropbox file, which should also set alarms off for users.
Interestingly, the attackers cleverly make use of some safe links in the email to provide a sense of legitimacy. For instance, a link placed on the recipient’s name leads to a password reset page, secured by HTTPS.
“Strangely enough, this is actually a safe page, which could prompt the email recipients to believe that the rest of the email is valid and legitimate as well,” Zaharia said.
The email also contains a link for “I don’t have access to my email,” which leads to the legitimate password reset page that LinkedIn uses if members have trouble accessing your account. And, a link in the footer for “Learn why we included this” also goes to the proper LinkedIn page.
Speaking of the footer, this also has tell-tale issues.
“A subtle difference is that the phishing email only includes the name of the targeted LinkedIn user in the footer, but not the recipient’s current position, as secure emails from LinkedIn do,” Zaharia said. “By default, your professional headline in the security footer message consists of your current position and the company listed on your LinkedIn Profile. You may customize this professional headline at any time. Currently, only certain emails from LinkedIn contain a security footer message but expect to see it in all emails in the coming months.”
What’s more, the footer includes the US address, while emails sent to European LinkedIn users include the Dublin HQ address, where the legal European entity of the company works.
In all, the campaign is smart and works hard to convince recipients that the mails are the real deal. But as ever, no one should trust anything that asks for confidential information to be sent by email—or uploaded to Dropbox.
Photo © IB Photography/Shutterstock.com