LinkedIn and the story how crooks can use it for spear phishing

Pierluigi Paganini July 24, 2015

Kaspersky’s researchers warned LinkedIn about a security flaw that could put at risk their 360 million users and exposing them to spear phishing attacks.

In November 2014, Kaspersky’s researchers warned LinkedIn about a security flaw that could put at risk their 360 million users. This was a big concern at the time because LinkedIn has many people from the business area, and any security flaw that makes it spear phishing easier and efficient to execute.

The big risk is that with a specially crafted spear phishing campaign a crook can steal credentials and most probably gain control of their victim’s assets, doing all this without the need of social engineering.

At the time, LinkedIn fixed the vulnerability and said: “While certain HTML content should be restricted and we have issued a fix and thanked Kaspersky researchers; the likelihood of exploit on popular modern email platforms is unlikely.”
LinkedIn Spear phishing

Using the words of SecureList, “Researchers found the vulnerability after noticing escape character differences when posting comments from different devices in various posts. The second alert was a malfunction in the platform’s back-end parser that simply interpreted a CRLF (“Enter” keystroke) to an HTML tag <br />, appending it to the post as text. The two were not connected to each other, but they both raised important questions.”

It is evident that there is the risk to underestimate the security issue and at the same time the crooks could be interested to launch a malicious campaign against the popular platform.

People were puzzled since they couldn’t understand what was going on, but for sure something wasn’t right, investigators could partial imitate the behavior of escape character but they weren’t able to bypass the anti-Cross-site Scripting XSS, but eventually investigators had a breakthrough and discover something:

  • If someone did a comment with HTML tags, from the web interface they would generate “%3C”, “as the less-than character”.
  • The input from a mobile devices would be encoded as “&lt;”

However, what does this means? Is LinkedIn vulnerable?

To be able to provide an answer to the question let’s make two tests.

Before explaining the tests, keep in mind that every time that you comment a post, you will receive notifications via e-mail when other users reply to the same post.

Now see the same comment, when someone commented a post from the LinkedIn website:

LinkedIn Spear phishing 2

Now when that person does the same comments but from the mobile application:

LinkedIn Spear phishing 3

What does this prove? It proves that LinkedIn was using two different email platforms, and that the one used by the mobile application could be used to deliver a malicious payload.

LinkedIn Spear phishing 4

Another good example how the fixed vulnerability could be exploited at the time.

This is would it would look a comment when you see it directly in LinkedIn:
LinkedIn Spear phishing 5

Now see the same comment when received my mail:

LinkedIn Spear phishing 6

This means that the crook could use the flaw to inject malicious code, to redirect you to a malicious site to serve a malware
or just to steal user’s credentials.

Mitigation

As I said, in the beginning of the article LinkedIn fixed this issue, but crooks use LinkedIn to get valuable information about their victims, so be careful and always keep some tips in mind:

  • Do not use your work mail to registry in Social media.
  • Be careful when opening attachments and click in links, even if there are sent by your close friends
  • Use a solution that can block dangerous redirections
  • Suspect when you receive a connection request from a contact that as no links with friends that you already know.
  • Suspect when you receive a connection request from someone with a strange photo
  • Do not accept a connection of someone that have general titles, and where you cannot find any information about their company.
  • Suspect if a connection request does not have any endorsements in their page, normally that is a strong indicator that maybe it is a fake profile.
  • Suspect when you receive a LinkedIn message telling you to send your CV to a strange (not corporate email).
  • Don’t comment and do likes in LinkedIn posts like” Please do a like in my comment for me to contact you for a possible job”

The history can teach us lessons, and avoid future problems, so be careful with the connections you accept, and share your personal/Working details, because that ca be used for good but also for bad, and with the right piece of information, crooks can “open some doors”.

About the Author Elsio Pinto

Elsio Pinto is at the moment the Lead Mcafee Security Engineer at Swiss Re, but he also as knowledge in the areas of malware research, forensics, ethical hacking. He had previous experiences in major institutions being the European Parliament one of them. He is a security enthusiast and tries his best to pass his knowledge. He also owns his own blog http://high54security.blogspot.com/

Pierluigi Paganini

(Security Affairs – LinkedIn, Spear Phishing)



you might also like

leave a comment