LinkedIn Phishing Scam: Compromised Accounts Attack User Messages

Hackers have launched a new phishing campaign against LinkedIn members that uses compromised LinkedIn accounts to send messages with malicious links and downloads to potential victims in an attempt to steal credentials and personal information.

The campaign, first spotted by security researchers at cybersecurity firm Malwarebtyes, makes use of real LinkedIn accounts that have been compromised in order to make the phishing messages sent via LinkedIn’s messaging system appear legitimate.

According to Malwarebytes researchers, the attackers have managed to hijack a number of LinkedIn member accounts, including some with paid Premium membership status that allows them to contact users directly—even those who they are not directly connected with—through LinkedIn’s InMail feature.

The fraudulent messages appear directly on LinkedIn or can be received via email. Most appear as if the LinkedIn user is sharing a Google Drive file with the victim and contain a malicious link, obscured by a URL shortener to hide its true destination.

Shortened URLs are often used in these types of attacks to hide malicious sites, but are common on social media platforms to safe space so may not trigger the suspicion of a user. Even for those who are concerned, expanding the URL doesn’t necessarily reveal its true intent as the hackers use a free hosting provider, gdk.mx, to redirect to the malicious site.

Once a victim lands on the hacker’s website, they are presented with a login screen that appears like the standard Google login page. If the user enters their username and password, that information will be harvested by the hackers and used to steal their Google account.

Other versions of the attack are also used to target Yahoo and AOL users.

Not satisfied with just the standard login credentials, the hackers will also as their victims to enter other information as a means of confirming their identity. The malicious site will ask for a phone number or secondary email address before finally showing users the supposed document they were linked to.

The Google Docs file victims see onces they hand over their credentials and other personal information that may be used to compromise their account is a decoy article about wealth management from Wells Fargo.

While the full extent of the phishing campaign is difficult to measure, Malwarebytes reported the majority of the compromised accounts had at least 500 connections on the platform, allowing for the potential of a widespread attack. Thus far, it is believed about 250 people have clicked the phishing link—though it is possible not all handed over their credentials.

Looming large over this phishing scam is the 2012 breach of LinkedIn, which resulted in more than 117 million user accounts and passwords being compromised. That information has surfaced on the dark web and been traded, sold and accessed by hackers.

Because users often reuse passwords or fail to change them after a breach, the accounts involved in that breach are at risk of being used in the phishing campaign.