27, Jan, 2020

LinkedIn Account Compromised

Phishing continues to be a criminals’ favorite for harvesting user credentials with more or less sophisticated social engineering tricks. In this blog post, I would like to take a look at an old but still active attack. That is happening on LinkedIn that uses existing LinkedIn user accounts to send phishing links to their contacts via private message.

What makes this Phishing/Hack interesting is the abuse of long-standing and trusted accounts that were hacked. In the past week, I have received over 100 of these messages, from close colleagues from the US Counterparts. Most of them not up today with IT Security or Cyber knowledge. The accounts get hacked, via one of several ways. My contacts have narrowed down that it is one of the two that has caused them to be targeted. It was that they had an easy password crack or via a key logger was installed maliciously on their PC/Mobile Phone. On the hacker has access to their LinkedIn the will send fraudulent message includes a reference to a shared document and a link that redirects to a phishing site for OneDrive/Office365 and which require potential victims to log in. This is a new attempt as before in 2017 this happened on Linkedin with Google Drive.

Those who proceed will have their username, password, and phone number stolen but won’t realize they were duped right away. Indeed, this phishing scam ends on a tricky note with a decoy document on a potential business proposal.

Private message

This message was received from a trusted and existing contact, although the time stamp is showing 7:17 PM +8GMT as im in Singapore, and my colleague is on the East Coast of America, and the time there is 06:17 AM EST. Being an IT Professional and a Leading in Digital Transformation and the Digital Age. The first red flag I saw was that this contact had stated a ” New Business Financial Proposal”, then a link to a OneDrive, where most businesses will use Office365, but the URL is not branded to a specific domain. That showed me that it’s not a genuine business document share.

Clicking, on the link, brings me to this document

When I hover of View Message Folder, the URL of “http://nihoering.top/jahblessmenow/jhhss/vnmn/cymk” which bring you to a fake look-alike of the Office 365 Login.

Personal security and its implications

I personally do not know how many LinkedIn accounts were compromised in this function recently. The user whose account was hacked had over 500 connections on LinkedIn and based on my research, I can guess about 200+ people clicked on the phishing link.

This kind of attack via social media is not new – I and we have all seen hacked Skype or Facebook accounts send spam – but it reminds us of how much more difficult it is to block malicious activity when it comes from long standing and trusted user accounts, not to mention work acquaintances or relatives.

If your LinkedIn account gets compromised, you should immediately review its settings to change your password and enable two-step verification.