Application security, Malware, Phishing

LinkedIn Premium accounts being used in phishing scam

LinkedIn and Wells Fargo have found themselves once again at the center of a cyber issue, but this time hackers are using the business-oriented social media site to send phishing InMails posing as a Wells Fargo document.

Malwarebytes Senior Researcher Jerome Segura wrote in a blog that the current crop of phishing attacks use previously hacked LinkedIn Premium accounts as a starting point. These accounts are used because they can send InMails not only to their connections, but also to other LinkedIn members.

Like most phishing scams, the initial contact appears innocuous. Segurua said the target receives an InMail stating:

I have just shared a document with you using GoogleDoc Drive, 

View shared document[]

The shortened URL, a well-known dodge used to spread a malicious link, leads to a phishing site where those using Gmail and the other common email providers are asked to login in using their credentials. This leads to their username, password and phone number being stolen, however, to keep the victim from being suspicious about this activity a fake document, purportedly from Wells Fargo wealth management, is included apparently to act as the document mentioned in the original InMail.

Segura said an unknown number of Premium accounts must have been previously hacked in order for the hackers to begin their crime spree. But once inside even a few accounts the malicious actor can quickly spread out. Malwarebytes offered an example of one phishing email that was sent by a person with 500 connections plus access to everyone else on LinkedIn.

“This kind of attack via social media is not new – we have seen hacked Skype or Facebook accounts send spam – but it reminds us of how much more difficult it is to block malicious activity when it comes from long standing and trusted user accounts, not to mention work acquaintances or relatives. This also makes such attacks more credible to potential victims and can lead to a snowball effect when victims become purveyors of phishing links themselves,” Segura wrote.

Spotting a fake InMail is no simple exercise. The criminals manage to spoof the security footer message that is tacked on to each InMail, although LinkedIn does point out that this method is not foolproof.

“In other words, the delivery method is to be trusted, but the content may not. The same can be said for phishing pages that use HTTPS – which is the case here – making content delivery secure but the content itself fraudulent,” Segura said.  

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.