A new phishing campaign has been spotted hitting LinkedIn users via direct messages and the LinkedIn InMail feature.
They are sent from legitimate LinkedIn Premium accounts that have been hijacked by the phishers, thus increasing the likelihood that recipients will trust the message and click on the link.
The message
The messages/emails say that the sender has just shared with the recipient a document via GoogleDoc/Drive, and offers a shortened Ow.ly link to view it.
When sent through the InMail feature, which allows members with Premium accounts to contact LinkedIn users with whom they have no connection, they look pretty legitimate. Technically they are – LinkedIn is the one doing the sending, and they are sent from a legitimate account. It is just the content that cannot be trusted.
The link in the message redirects the victims to a web page that requires users to enter their Gmail, Yahoo or AOL login credentials and their phone number in order to access the document – a decoy Wells Fargo document hosted on Google Docs.
Phishing attacks from hijacked accounts are very effective
“We do not know how (malware, other phishing attacks, etc.) or how many LinkedIn accounts were compromised in this campaign,” Malwarebytes researcher Jerome Segura noted.
“It’s also unclear whether the shortened URLs are unique per hacked account or not, although we think they might be. The user whose account was hacked had over 500 connections on LinkedIn and based on Hootsuite‘s stats, we know 256 people clicked on the phishing link.”
But there is no way of knowing whether they followed through the process and entered their credentials in the phishing page:
Segura pointed out that this kind of attack via social media is not new, but it’s effective and difficult to block.
“If your LinkedIn account gets compromised, you should immediately review its settings to change your password and enable two-step verification,” he advises.
“Additionally, you can post a quick update on your timeline that lets your contacts know you were hacked and that any previous message you may have sent with links should be carefully vetted.”