Phishers Spread Malicious Links Via Hacked LinkedIn Accounts

Researchers are warning of a new phishing campaign using hijacked LinkedIn accounts to send malicious links in private messages and InMail.

Jérôme Segura, lead malware intelligence analyst at Malwarebytes, made the discovery, revealing that the fraudulent messages sometimes come from hacked Premium accounts.

“The fraudulent message includes a reference to a shared document and a link that redirects to a phishing site for Gmail and other email providers which require potential victims to log in,” he explained.

“Those who proceed will have their username, password, and phone number stolen but won’t realize they were duped right away. Indeed, this phishing scam ends on a tricky note with a decoy document on wealth management from Wells Fargo.”

The phishing messages in question abuse link shortening service and free hosting provider to redirect to the phishing page, which is hosted on a hacked website, Segura added.

Malwarebytes has also spotted attackers abusing LinkedIn’s trusted InMail service to send the same link.

It even includes a custom security footer to add authenticity to the scam. Segura warned that while the delivery mechanism can be trusted in this case, the content most definitely cannot.

“The same can be said for phishing pages that use HTTPS – which is the case here – making content delivery secure but the content itself fraudulent,” he added.

InMail can only be sent from Premium accounts, meaning the phishers have compromised one of these to help their campaign.

“We do not know how (malware, other phishing attacks, etc.) or how many LinkedIn accounts were compromised in this campaign,” wrote Segura.

“It’s also unclear whether the shortened URLs are unique per hacked account or not, although we think they might be. The user whose account was hacked had over 500 connections on LinkedIn and based on Hootsuite‘s stats, we know 256 people clicked on the phishing link.”

He advised anyone finding their account has been compromised to immediately review and change their log-ins and switch on two-factor authentication, as well as posting an explanatory update to let contacts know what happened.

What’s Hot on Infosecurity Magazine?