A malicious campaign targeting Internet users in Slovakia is yet another reminder of how phishing operators frequently exploit legitimate services and brands to evade security checks.
In this case, threat actors are taking advantage of a LinkedIn Premium feature called Smart Links to direct users to a phishing page to collect credit card information. The link is embedded in an email purporting to be from the Slovak Postal Service and is a legitimate LinkedIn URL, so secure email gateways (SEG) and other filters are often unlikely to block it.
“In the case discovered by Cofense, attackers used a trusted domain like LinkedIn to bypass secure email gateways,” said Monnia Deng, director of product marketing at Bolster. “This legit LinkedIn link then redirected the user to a phishing site, where they went to great lengths to make it look legit, such as adding fake SMS authentication.”
The email also asks the recipient to pay a seemingly small sum of money for a package that is apparently awaiting shipment. Users who click on the link land on a page designed to look like the one the Postal Service uses to collect payments online. But instead of just paying for the supposed shipping of the package, users end up giving their full payment card details to phishing operators as well.
Not the first Smart Links Tine feature was abused
The campaign isn’t the first time threat actors have abused LinkedIn’s Smart Links feature – or Slinks, as some call it – in a phishing operation. But this is one of the rare cases where emails containing doctored LinkedIn links have found their way into users’ inboxes, says Brad Haas, senior intelligence analyst at Cofense. The Phishing Protection Service Provider is currently being tracked the ongoing Slovak campaign and this week released a report on its analysis of the threat so far.
LinkedIn smart links is a marketing feature that allows users subscribed to its Premium service to direct others to content that the sender wants them to see. The feature allows users to use a single LinkedIn URL to direct users to multiple marketing materials, such as documents, Excel files, PDFs, images, and web pages. Recipients receive a LinkedIn link which, when clicked, redirects them to the content behind it. LinkedIn Slinks allows users to get relatively detailed information about who may have viewed content, how they may have interacted with it, and other details.
It also gives attackers a convenient and very credible way to redirect users to malicious sites.
“It’s relatively easy to create smart links,” says Haas. “The main barrier to entry is that it requires a LinkedIn Premium account,” he notes. “A threat actor would have to purchase the service or access a legitimate user’s account. But on top of that, it’s relatively easy for threat actors to use these links to send users to malicious sites, he says, “We’ve seen other phishing threat actors abuse LinkedIn’s Smart Links, but to date, it’s rare to see it reaching inboxes.”
Take advantage of legitimate services
Attackers’ increasing use of legitimate software-as-a-service and cloud offerings such as LinkedIn, Google Cloud, AWS and many others to host or direct users to malicious content is one of the reasons why phishing remains one of the main vectors of access.
Just last week, Uber suffered a catastrophic breach of its internal systems after an attacker engineered an employee’s credentials and used them to gain access to the company’s VPN. In this case, the attacker – whom Uber identified as belonging to the Lapsus$ threat group – tricked the user into accepting a multi-factor authentication (MFA) request by pretending to be from the company’s IT department.
It is significant that attackers use social media platforms as a proxy for their fake phishing websites. It’s also troubling that phishing campaigns have evolved significantly to be not only more creative, but also more accessible to people who can’t write code, Deng adds.
“Phishing happens anywhere you can send or receive a link,” adds Patrick Harr, CEO of SlashNext. Hackers wisely use techniques that bypass the most secure channels, such as corporate email. Instead, they choose to use social media apps and personal emails as a backdoor into the business. “Phishing scams continue to be a serious problem for organizations, and they are turning to texting, collaboration tools and social media,” Harr says. He notes that SlashNext has seen an increase in requests for SMS and messaging protection as compromises involving text messaging become a bigger issue.