New Phishing Campaign Uses LinkedIn Smart Links in Blanket Attack

Written by

Email security provider Cofense has discovered a new phishing campaign comprising over 800 emails and using LinkedIn Smart Links.

The campaign was active between July and August 2023 and involved various subject themes, such as financial, document, security, and general notification lures, reaching users’ inboxes across multiple industries.

The financial, manufacturing and energy sectors are the top targeted verticals.

Source: Cofense
Source: Cofense

Cofense estimated that “this campaign was not a direct attack on any one business or sector but a blanket attack to collect as many credentials as possible using LinkedIn business accounts and Smart Links to carry out the attack.”

What Are LinkedIn Smart Links?

LinkedIn Smart Links, also known as slinks, are used by LinkedIn business accounts to deliver content and track user content engagements through the LinkedIn Sales Navigator.

A typical Smart Link uses the LinkedIn domain followed by a ‘code’ parameter with an eight-alphanumeric character ID that may contain underscores and dashes. However, malicious Smart Links can include other parts of information, such as obfuscated victim emails.

Malicious Smart Link structure. Source: Cofense
Malicious Smart Link structure. Source: Cofense

Smart Links have proven to bypass security email gateways (SEGs) and other email security suites due to the link using a trusted domain.

This new trove of Smart Links-based phishing messages suggests that these accounts are either newly created or previously compromised LinkedIn business accounts, allowing threat actors insight into the phishing campaign with its tracking capabilities.

How Does A Slink-Based Phishing Infection Work?

Upon clicking a malicious LinkedIn Smart Link embedded in an email, the user will be sent directly or through a series of redirects to the phish.

The designated phishing kit will read the victim’s email attached to the Smart Link to autofill the malicious form to add to the illusion of legitimacy that the victim has landed at the legitimate Microsoft sign-in. However, a Smart Link will still lead to a credential phishing page without the victim’s email in the URL.

Once at the phish, the user will be instructed to log in using their Microsoft Office credentials.

Are LinkedIn Smart Links A New Type of Threat?

LinkedIn Smart Links have been used in malicious phishing campaigns for a while now.

Cofense identified large-scale phishing attacks using LinkedIn Smart Links as early as 2021. The company also reported on a large-scale campaign using slinks in September 2022.

However, this is not a phishing method that malicious actors regularly use.

“While it’s important to use email security suites, it is also essential for employees to constantly be up to date on their training to combat any phishing campaign. Employees must be taught not to click links from emails that seem suspicious or unexpected,” recommended Cofense in the report.

Read more: AI-Generated Phishing Emails Almost Impossible to Detect, Report Finds

What’s hot on Infosecurity Magazine?