Phishing, Security Staff Acquisition & Development, Email security, Identity

Credential-phishing campaign using LinkedIn Smart Links resurfaces

Linkedin app under a magnifying glass.

A resurgence of phishing campaigns using LinkedIn Smart Links has been observed in a sizable credential phishing campaign that targets Microsoft Office credentials and has been creeping into user email inboxes once again.

In a blog post Oct. 11, Cofense said while Smart Links in phishing campaigns are nothing new, they identified an anomaly of more than 800 emails of various subject themes, such as financial, document, security and general notification lures reaching user inboxes across multiple industries — but mostly in finance and manufacturing — that contain more than 80 unique LinkedIn Smart Links.

Smart Links are links used by a LinkedIn team or business account connected to LinkedIn Sales Navigator services that deliver content and track engagement metrics.

In 2022, the Cofense Phishing Defense Center (PDC) detected phishing campaigns that used LinkedIn links called Smart Links or “slink” to bypass security email gateways (SEGs) to deliver credential phishing, which was covered last fall in an earlier blog by Cofense. These type of attacks were first identified by Cofense as early as 2021.

“LinkedIn is a trusted brand with a trusted domain name that can allow malicious actors to take advantage of when sending emails with Smart Links embedded into them,” wrote the researchers. “This will enable emails to bypass SEGs and other security suites.”

Patrick Harr, chief executive officer at SlashNext, said his team has seen a significant, triple-digit percentage increase in spear-phishing credential theft this year. Harr said the current threat landscape includes a lot of access brokers that “sell” access to companies in exchange for money, often to ransomware groups.

“When you speak to some of these access brokers, most of the time they've gained access through spear phishing,” explained Harr. “Cybercrime has expanded to social, mobile and collaboration channels, so spear phishing, combined with credential stealing, is expanding as a result.”

Vinay Pidathala, senior director of Menlo Labs, added that the misuse of LinkedIn Smart Links is a good example of how threat actors are evolving their tactics and techniques towards highly evasive threats to bypass existing defenses. Pidathala said it’s a core area of research for his team and they continue to see an uptick in types of attacks. 

“The use of legitimate websites is particularly important because the website is well-trusted by the user and hence the probability of compromise goes up,” said Pidathala. “Security vendors and their solutions embrace the concept of trust, meaning some websites can be trusted to never deliver maliciousness. Therefore, attacks such as the one using LinkedIn Smart Links goes undetected by the typical security stack, significantly increasing the likelihood of successful attack execution.” 

Emily Phelps, director at Cyware, said while we may strive for a passwordless world where there’s little or no credential theft, there are several challenges preventing the full realization of this vision. Phelps said transitioning away from password-based authentication requires both technical and cultural shifts.

“For many organizations, the cost and disruption is high and the motivation to invest in such changes is limited,” said Phelps. “Infrastructure mechanisms are costly, especially at scale, and because no system is foolproof, it's hard to justify a move that will also have vulnerabilities. In fact, eliminating passwords doesn't entirely eliminate credential stuffing.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.