LinkedIn-themed phishing abuses Adobe’s A/B testing platform
A newly documented phishing campaign is targeting professionals with fake LinkedIn business emails and abusing a trusted service operated by Adobe.
The attack from the victim’s perspective
The attack starts with an email that looks, at first glance, like a routine business inquiry: someone wants to do business with you through LinkedIn and has attached a signed contract for your review.
The phishing email (Source: Malwarebytes)
The message is short and professional and the sender company and name exist (though, if the potential victim checks, they will see that the sender does not appear to be working at that particular company).
Those who open the attachment will be faced with a familiar-looking LinkedIn login page, with their email address already filled in.
If they type their password and hit submit, they will be redirected to the real LinkedIn. In the background, the login credentials are sent to a server operated by the attackers.
The tricks behind the attack
The attackers used several layers of deception to make this attack effective and hard to detect for victims and email security solutions.
They are impersonating a legitimate platform and the lure is not out of place, as professionals routinely receive business inquiries through LinkedIn.
By using double extensions, they disguised the attached HTML file as a PDF file, and the HTML file is heavily obfuscated.
The email field in the fake login form is pre-filled with the target’s email, making the page feel personalized and trustworthy.
Finally, they are abusing Adobe’s infrastructure: Rather than directing the victim directly to their own servers, the attackers send the browser through Adobe Target, which is a legitimate A/B testing platform hosted at an omtrdc.net domain.
This serves two purposes: it makes the network traffic look like it’s going to a trusted Adobe address, and it likely allows the attackers to track which victims actually clicked through and submitted their credentials.
These attacks are built to scale
Careful users should be able to spot the phishing warning signs, but a moment of distraction is sometimes enough to fall victim to these kinds of tricks.
And, as Malwarebytes researchers correctly note, these attacks are cheap, scalable, and likely to keep circulating.
Aside from avoiding opening unsolicited attachments, users should enable multi-factor authentication for critical accounts, and make it a habit to only access their accounts through official apps, by typing the official website directly into their browser, or via a bookmark they created themselves.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!