A new LinkedIn Phishing scam has been detected that uses compromised LinkedIn Premium accounts to send InMail messages and private messages to other LinkedIn users. The messages appear genuine as first glance, but are being used to obtain email login credentials. Those email accounts will undoubtedly be used in more extensive phishing scams.
Phishers have been gaining access to genuine LinkedIn accounts and using them to send InMail messages to the account holders’ contacts. Since the messages appear to come from a contact, they are more likely to be trusted.
MalwareBytes reports that one of the compromised accounts had 500 contacts, each of whom would have received a message. At the time of writing, 256 individuals clicked on the link, showing just how effective this type of LinkedIn phishing scam can be. It is unclear how many of those individuals revealed their credentials.
This LinkedIn phishing scam includes a link to a document shared via Google Drive; however, clicking the link will direct the user to a spoofed website where they are required to enter their email account information to view the document. Entering in that information will provide it to the scammers, who will gain access to the victim’s email account and also obtain their phone number. The document is then opened and the victim is presented with information ‘from’ Wells Fargo Wealth Management.
This tactic makes it appear that the link was genuine. Victims are unlikely to be alerted to the fact they have just been scammed. The victims’ credentials will then be used for malicious purposes, such as sending more phishing emails to their contacts. The accounts can be trawled for other sensitive information, and victims will almost certainly be subjected to further phishing and social engineering scams.
Identifying this LinkedIn phishing scam is difficult, as the attackers have managed to spoof the security footer in the InMail messages. Shortened URLs are also used making it harder to determine the true destination of the link. These shortened URLs are also used in genuine messages. This LinkedIn phishing scam uses the ow.ly and gdk.mx shortening services.
Malwarebytes reports that the same scam is being used to send messages to individuals who are not in the compromised account holder’s list of contacts, allowing the scam to be performed on a far greater range of users.