LinkedIn has become a popular target for phishing attacks and in the latest scam to hit the platform, users have been targeted with phishing emails that appear to come from a legitimate business contact.
As the general public becomes more knowledgeable about the traditional tactics that are being used to target them, cybercriminals have had to adapt their tactics to avoid detection.
By hacking into legitimate user accounts, fraudsters have been able to send victims a seemingly innocuous email with a link to access a document hosted on OneDrive.
The crooks know that users will be less likely to question the validity of a link if it comes from a trusted friend or contact which is why the scam has proved so successful.
Image: LinkedIn Phishing Email (Source: Naked Security)
The beginning of the link within the email seems credible enough, however, the second half ends with the name of a hacked celebrity website in the US.
If users click on the link, they will activate a redirection script, diverting the request to a second server in Mexico, complete with a valid HTTPS certificate in the address bar.
The URL of the final page ends with ‘/office365’, suggesting the site was initially a cloned phishing website set up to capture the victim’s username and password. However, it appears the site has since closed down as it displays a 404 error message in Spanish.
Image: Cloned Mexican website
With over 500 million members worldwide, LinkedIn has become the world’s largest professional network. It’s also considered to be the most trusted social media platform according to Business Insider’s Digital Trust Report 2018.
Unfortunately, this growth in numbers, coupled with a more trusting online environment has resulted in a huge growth in phishing scams on the platform.
To protect yourself from being scammed on LinkedIn, there are a number of steps you should take:
- Limit the contact information on your profile – You should be wary of sharing sensitive information such as your phone number or home address on your LinkedIn profile. To remove this info, go into your profile and delete accordingly.
- Turn on LinkedIn’s secure browsing mode – LinkedIn offers secure browsing via HTTPS which is great if you are accessing it via public wi-fi. To enable this, go into settings, click the account tab, then click Manage Security Settings and put a check in the box that says: ‘When possible, use a secure connection (HTTPS) to browse LinkedIn in the pop-up box that opens.’
- Limit information in your public profile – Even if you limit sensitive contact information on your profile, your detailed work history could provide attackers with lots of valuable information that could be used in a social engineering attack. It’s worth going through your profile and removing any detailed information that’s not necessary.
- Don’t click on suspicious links – Be wary of any posts or messages that ask you to click on a link. Even if you know the person, pay close attention to the language and tone of the message. If something seems even the slightest bit off, close it down and report the message to LinkedIn.
- Exercise caution when applying for jobs through the platform - When applying for jobs online, be wary of recruiters who ask you to send information to an email address that isn't associated with the company. The email domain should contain the actual company name.
- Never accept connection requests from someone you don’t know –LinkedIn is a great way to build connections, but with over 33 million fake accounts on the platform, you should avoid connecting with someone you’re not familiar with.
- Keeping operating systems up to date - It’s also important to ensure that your software is regularly updated to prevent criminals from gaining access to your computer through vulnerabilities in older and outdated systems.
- Enable Two-factor Authentication – Two-Factor authentication (2FA) adds an additional layer of security to online accounts. To enable two-factor authentication on LinkedIn, go into your settings, click manage security settings, turn on two-step verification and enter the telephone number you would like your verification code sent to. Click send code and once you have received this, enter it into the box on the device you’re using to sign in. Click verify and then click done.
Metaphish provides a robust defence against phishing attacks by training employees how to identify and respond appropriately to these threats. Get in touch for further information on how we can help protect your business.