Compromised LinkedIn Accounts Used in Phishing Scheme

Analysts at the security software company Malwarebytes recently detecteda phishing campaign that uses compromised LinkedIn accounts to spread malicious links to other LinkedIn members listed in the compromised accounts’ “connections” lists. Additionally, compromised accounts that have LinkedIn’s InMail activated, a feature available to Premium account subscribers, are being used in the same campaign to send direct messages to members who are not listed as connections. The malicious links are obscured by a URL shortener and advertised as a shared Google Doc to avoid raising suspicion but, once clicked, they redirect the recipient to a phishing page hosted on a hacked website. The phishing page is a clone of a Google account, Yahoo!, or AOL login page designed to trick victims into entering their usernames, passwords, and other identifying information. Once that information is entered, the hacker behind the campaign can use it to compromise victims’ email accounts, as well as any other online accounts that are linked to those emails or share the same login credentials. Since LinkedIn is a social media platform primarily designed for business networking, this type of campaign has the potential to be very effective, especially as connections on LinkedIn are often people who users have physically met or know personally, unlike those on other social media platforms. Additionally, phishing campaigns masquerading as lucrative contracts or job offers could easily entice unsuspecting LinkedIn members to click on a malicious link. The NJCCIC recommends LinkedIn members treat unsolicited LinkedIn messages as they would unexpected emails and verify any messages containing obfuscated URLs with the sender through another means of communication prior to clicking on any links or downloading any attachments.