Pierluigi Paganini November 06, 2016

Experts from Heimdal Security reported a recent LinkedIn phishing campaign aiming to collect confidential information from unsuspecting users.

Phishing attacks continue to be a serious threat, crooks exploit paradigms such as social medial platforms and mobile in the attempt of stealing sensitive data.According to 2015 Verizon Data Breach Investigation Report, 23% of email recipients open phishing messages and 11% click on malicious attachments … and this is just the tip of the iceberg.

Experts at Heimdal Security reported a recent LinkedIn scam aiming to collect confidential information from unsuspecting users.

The attack vector is an email like this:

Wait, LinkedIn is requesting files from me? LinkedIn is requesting to send documents via email to confirm my identity?

Unfortunately, many users fall victims of this absurd invite.

The email asks for a payment receipt, so premium LinkedIn users could fall into the trick of sending their payment information.

Giving a close look at the sender’s email address

postmaster [@] fnotify.com

It is easy to notice that the message doesn’t come from the professional social media platform.

The domain used by phishers http : [//]fnotify.com/ is an empty WordPress website, likely a compromised website used for the campaign.

The message also requests victims to upload the document to a Dropbox folder, that is alarming, none will ask you to upload your ID document to a cloud storage platform.

“The Dropbox link is clean when scanned through VirusTotal, which shows that this recent campaign has not yet been picked up by antivirus solutions.” states the analysis published by Heimdal Security.

Another element that should raise suspicion is the time limit referred in the email, a classic social engineering approach used to trick victims into following the instructions provided in the message.

Now let’s analyze the link in the top right corner of the message, it leads to a password reset page, secured with HTTPS.

“The link is placed on the recipient’s name and leads to a password reset page, secured by HTTPS. Strangely enough, this is actually a safe page, which could prompt the email recipients to believe that the rest of the email is valid and legitimate as well.” continues the analysis.

Going forward, the experts noticed many other strange issues, I invite you to give a look at the analysis. Awareness of such kind of scams is important to make them ineffective.

To report phishing messages you’ve received, please email phishing@linkedin.com.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – LinkedIn phishing, cybercrime)