LinkedIn is a popular social networking platform that is focused on professional networking and the business community. On this platform, users are focused almost entirely on making connections and finding jobs. But things are not always as they seem. Of late, LinkedIn is emerging as one of the most popular social networking sites used by attackers for phishing attacks.
In one of the recent alleged breaches at LinkedIn, attackers claimed that “Scraped data of 500 million LinkedIn users being sold online, 2 million records leaked as proof”. In this data breach LinkedIn profiles, user IDs, email addresses, phone numbers, professional titles, job-related descriptions data were leaked. It is suspected that attackers use this data and harvest user credentials and other personal information with phishing attacks and more. Although the official statement from LinkedIn on this data is that “This was not a LinkedIn data breach, and no private member account data from LinkedIn was included in what we’ve been able to review.”
While analysing such LinkedIn messages or emails, we observed that attackers are spear-phishing the victims with tiny or shorten URLs using the job description or details listed on the target’s LinkedIn profile. When the unsuspecting victim clicks on the URL, the victim is redirected to phishing links and then to a fake Microsoft 0-365 login to harvest the credentials. In some cases, attacks have used links that download banking malware or backdoors on the victim’s machine.
Detailed flow diagram
Fig 1. Flow Diagram
Here is a sample LinkedIn message, which looks like a job offering message with a malicious link.
“Hi there, I hope you are doing well! We have a personal project from a client I am presently taking on. It is still in the initial stages of follow-up. From your profile, we see your competencies could be useful. Kindly access this proposal via the link below and advice. (tinyurl[.]com[/]ndependentConsultantInTelecom) We look forward to your prompt and positive response. Kind Regards, Independent Consultant in Telecom and IT Services Industry”
While analyzing URL “tinyurl[.]com/LeaderatCiscoSystems” redirected to a hardcoded one-drive link ->
This link is then downloaded as a PDF file.
Fig 2. PDF file
Once we open the PDF file, it shows “view message folder” as a clickable link. Upon click, it redirects to
https[:]//motemoat[.]net/proposal/owa/index.php, which further redirects to a long URL as given below:
The above URL shows a fake Microsoft login page as below –
Fig 3. Fake Microsoft Login Page
After adding credentials the first time, it shows an incorrect account or password.
Fig 4– Showing incorrect account or password.
After adding again, it shows the message “Your account process is completed,” here we can suspect that account credentials information gathering activity happens.
Fig. 5 – Account Completed
Further, this redirected to the legitimate outlook page.
The same PDF file has one more URL, which is the hyperlink to the word “Message” “https[:]//good354la354dsaporrpe.org/proposal/oWa/index.php”.
Another URL we analyzed “tinyurl[.]com/ndependentConsultantInTelecom” This URL to redirects to a one drive link.
Fig. 6 – Document File
This link is also alive and downloads a doc file.
Once the DOCX. the file is opened, it shows a link with the text “view message folder”. This link redirects to
On more URLs is a hyperlink to the word “Message” “https[:]//good354la354dsaporrpe.org/proposal/oWa/index.php”.
This URL is also down as of now. It’s the same as the one found in the earlier PDF file variant.
Fig.7 – Embedded link on the text