Phishers are trying to trick users into opening a “LinkedIn Private Shared Document” and entering their login credentials into a fake LinkedIn login page, security researcher JB Bowers warns.
The phishing attack
The phishing message is delivered via LinkedIn’s internal messaging system and looks like it has been sent by one of the victim’s contacts. The message urges the recipient to follow a third-party link to view a document.
But, as Bowers pointed out, “there is no such thing as a ‘LinkedIn Private Shared Document’,” and this should ring targets’ alarm bell.
If they fail to find this suspicious, they’ll be redirected to a convincingly spoofed LinkedIn login page, and if they enter their login credentials, their account will probably soon be sending out phishing messages to their contacts.
Perhaps the phishers are indiscriminate in who they target, but compromising high-value targets might allow them to more successfully target a greater number of LinkedIn contacts or pivot into stealing even more critical credentials (e.g., for Microsoft/Office 365 accounts).
Detecting and blocking this type of attack
The phishing pages are hosted on sites that may also have legitimate work purposes, e.g., Appspot, Firebase, and Pantheon.io, making it unlikely that enterprises would block access to them.
“The sites use major ASNs including Fastly, Google, and Microsoft, making basic network traffic analysis for the end-user also not so useful,” Bowers noted.
To prevent this type of attack resulting in a wider compromise of enterprise systems and networks, employees should be taught to spot it (and similar variations). Another option to consider is blocking the use of social media/networks from work computers, though that might not sit well with the employees.
“If you see any more LinkedIn messages like this […] you’ll want to let that person know out of band that their account has been compromised and that they should update their LinkedIn password, as well as report the abuse to LinkedIn,” Bowers advised.
The victims will have to let their LinkedIn contacts know about the compromise and, in some cases, this will result in some of those contacts realizing they’ve been tricked as well and must go through the same process.
Finally, if the compromised LinkedIn password has been used on other accounts and sites, it has to be changed there as well – ideally to a new, unique one).