Armorblox spotted a new credential phishing campaign that comes with the capability of bypassing Google email security. The campaign is conducted on LinkedIn as social media continues to be a good source of targets for cybercriminals.
Diving into the details
- The phishing campaign targeted 500 mailboxes of employees from a national travel organization.
- The email comes with the subject line - "We noticed some unusual activity" - pretending to be from LinkedIn.
- However, the attackers have misspelled LinkedIn and the domain was created on March 6.
- The phishing campaign bypassed detection by Google’s email security controls after passing authentication checks via DMARC and SFP.
- The campaign leveraged brand impersonation, social engineering, malicious URLs, and existing business workflow replication.
Latest LinkedIn threats
LinkedIn emerged as the third-most impersonated brand in Q3, preceded by DHL and Microsoft. However, it was at the top of the list in the previous two quarters of the year.
- Threat actors have been creating fake employee accounts on LinkedIn, which couple AI-generated profile photos with text copied from legitimate users.
- A September phishing campaign was observed using LinkedIn smart links redirects to abuse the Slovakian Postal Service. This campaign was capable of evading SEGs.
LinkedIn fights back
- The platform has introduced three new features to defend against fake profiles and malicious activities on the platform.
- LinkedIn has started showing more information about accounts to verify them, actively hunting for fake AIs, and warning users against suspicious messages.
The bottom line
Over the past few years, LinkedIn has been heavily exploited by bad actors to steal credentials from its users and attack corporate networks. Armorblox recommends implementing an email security layer instead of just using native email security. Furthermore, pay attention to social engineering cues and implement MFA.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/shutterstock_465668897.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/5920_shutterstock_1096871762.jpg)
