A malicious campaign targeting Slovakian internet users is another grim reminder of how phishing operators use legitimate brands and services to evade security controls. The article discusses how attackers used a trusted domain like LinkedIn to bypass secure email gateways.
Phishing actors abused LinkedIn’s Smart Link feature. They bypassed email security products to successfully redirect victims to phishing webpages that steal their bank accounts, credit card numbers, and other private information. Furthermore, phishing actors did not just use Smart Link to bypass email security protections; they used it to track the progress of effectiveness of their campaigns, enabling them to optimize their lures.
Threat analysts at Cofense spotted the latest trend of Smart Link abuse, who observed malicious campaigns luring Slovakian users with fake postal service lures.
About Smart Link
Smart Link is LinkedIn’s marketing feature that allows users subscribed to the Premium service to direct other people to view the content the sender wants them to see. It is a handy feature allowing users to utilize a single LinkedIn URL and point users to multiple marketing collateral — like documents, PDFs, Excel files, images, and webpages. The recipients receive an email containing a LinkedIn link, which redirects them to the marketing content behind it. LinkedIn’s Slink users get relatively detailed information on who viewed the content and how they interacted with it, among other details.
How The Attack Unfolded
Malicious actors attempt to entice the targets into thinking that the Slovakian Postal Service wants to recover its pending shipping costs. It is an extremely adaptable strategy because LinkedIn’s Slink features and various postal brands are available. Attackers abuse legitimate LinkedIn features by adding unique alphanumeric variables at the URL’s end to redirect victims to malicious websites.
- The targeted users receive an email that contains the following text, “Slovak Post took the initiative and forwarded you this email to inform you that your shipment is still awaiting instructions.”
- Users are redirected to the attack’s initial phase after clicking the “Potvrd’te to” button.
- The payment page opens, and users are requested to enter their bank card information and finalize the shipment order.
- The users get redirected with a message saying their payment was received and requests for a fake SMS code forwarded to their telephone number.
- Whatever digits the victim enters on the page, they will get redirected to a final, fake confirmation page, thereby deflecting suspicion.
- Analysts examined the phishing landing page, which threat actors intended to resemble the authentic Slovakian post. They found that the URL does not correspond to the genuine Slovakian Post URL https://tandt[.]posta[.]sk/en.
Linkedin Comments on the Attack
When Bleeping Computer asked Linkedin about comments for the Slink phishing campaign, they said that Linkedin’s internal teams strive to take action against threat actors who attempt to harm LinkedIn users through phishing.
“We encourage our members to report all suspicious messages, and we will help them learn more about steps they can undertake to safeguard themselves, including two-step verification.”
It’s Not the First Time Attackers Abused the Smart Links Feature
The recent campaign was not the first threat actors abused LinkedIn’s Smart Links feature in a phishing operation. But, it was one of the rare instances when emails containing doctored LinkedIn Slinks ended up in the user inboxes. The phishing protection services vendor, Cofense, was actively tracking the ongoing Slovakian campaign and issued a report this week on its analysis of the campaign so far.
LinkedIn Advisory on How to Report Phishing Scams
LinkedIn never asks for your password or requests you to download any program. Several LinkedIn email domains are determined by their email service provider (ESP). However, LinkedIn assures its members that emails from linkedin@el.linkedin.com and linkedin@e.linkedin.com are not phishing emails. Linkedin has a detailed advisory on its website that suggests users look for the following warning signs of a phishing message:
- Messages containing bad grammar and spelling, and not addressed to the user personally.
- Messages asking the user to act immediately.
- Messages asking the user to open an attachment and install a software update.
- Subject: Account Suspended
- Subject: LinkedIn Terminating your Account
- Subject: Your LinkedIn Profile Security Alert
- Subject: Your Account Will Get Terminated!
Members who suspect they received a phishing email can report it by forwarding it to phishing@linkedin.com. Furthermore, if the user gets a message and believes it’s a phishing attempt, they can click on the “More” icon and select either of the below options:
- It’s spam or a scam
- It’s a scam, Malware, or phishing.
After completing the above steps, the phishing message will get deleted from the user’s inbox, and they will get an option to block the sender.
How to Stay Safe from Such Attacks?
While it is impossible to prevent all malicious messages from coming your way, here are a few tips you can remember when reading and replying to messages you receive:
- Don’t share your personal details, like government-issued ID numbers, bank accounts, or credit card numbers, with people you don’t know.
- Don’t enter usernames, birth dates, passwords, or other personal details by clicking on links from emails. You should visit the website directly by entering it into your browser. Additionally, ensure you only enter such information during secure browsing sessions.
- Those applying for jobs online should be wary of recruiters who request them to send personal information to an email address not associated with the organization. The email domain must contain the original company name, like @linkedin.com.
- Be cautious when clicking on the embedded links in emails. Clicking on a bad link will allow Malware to infiltrate your system. If suspicious, move the cursor over the embedded link (without clicking on it) and verify if it’s redirecting you to the actual website.
- You must ensure the LinkedIn messages contain their security footer.
Expert Comments on the Smart Link Campaign
Brad Haas, senior intelligence analyst, Cofense
“Creating Smart Links is relatively easy, but the main barrier for entering is the requirement of a Premium LinkedIn account,” he notes. The threat actor must access a legitimate member’s account or purchase the service. Beyond that, it’s relatively easy for cybercriminals to use Smart Links to redirect users to malicious websites. We saw threat actors abusing LinkedIn Smart Links earlier, but till now, we have not experienced it reaching users’ inboxes.
Patrick Harr, CEO, SlashNext
“Phishing occurs anywhere a user can send or receive a link,” he adds. Hackers wisely use techniques that avoid corporate email, the most secure channel. Instead, they use personal emails and social media apps as a backdoor into the enterprise network. “Phishing scams are becoming a serious problem for enterprises, and they are moving to collaboration tools, SMS, and social media.”
Final Words
The growing use of platforms such as LinkedIn by threat actors to direct users to malicious content is a significant cause for concern these days. Users must become extremely cautious when opening links from unsolicited texts, emails, and other mediums. LinkedIn members must directly visit the site to check for updates and messages and hover over the link before clicking on it.