loader gif

New Scam Uses Compromised Servers And Bogus Links To Target LinkedIn Users

New Scam Uses Compromised Servers And Bogus Links To Target LinkedIn Users
  • Scammers are using compromised servers and bogus links to lure LinkedIn users into providing their online credentials and payment card details.
  • The team that examined the scam noted that all the other subdomains they analyzed, redirected to various dating site portals.

What is the issue?

Scammers are using compromised servers and bogus links to lure LinkedIn users in providing their online credentials and payment card details.

How does this scam work?

  • Scammers send a message to the target via a LinkedIn account.
  • The message prompts the recipient to open the shared document which is sent via Onedrive.
  • The message includes a fake link that redirects the recipient to a compromised website.
  • Upon clicking the bogus link, a redirection script is used on the hacked server to divert the request to a second compromised server.
  • Finally, the URL redirects to a fake Microsoft Office 365 login phishing page, where the recipient is asked to enter the account credential.

More details about the scam

A Sophos employee received a similar scam message in his LinkedIn account. Upon suspicion, the Sophos team analyzed the embedded URL, which redirected to the website of a professional entertainer in the USA, whose server had been compromised.

“Hi, Hope all is well? I have shared a document with you via Onedrive, please see the shared document,” the message read.

The second server was a business site in Mexico. The team said that the affected site in Mexico has already spotted this scam and removed the offending content because it led to a 404 error page. All the other subdomains analyzed by the research team redirected to various dating site portals.

“Nevertheless, the redirection script provided the crooks with a general-purpose mechanism for running a range of different spamming, phishing and scamming campaigns at the same time, with the target site determined by the URL that the crooks used each time,” Sophos team noted.

loader gif