LinkedIn Phishing: Casting a criminal lure in professional networks

In this article we explore a recently discovered LinkedIn phishing attempt and discuss the effectiveness of LinkedIn as an attack vector over a more traditional email-based campaign.We also discuss the psychological cues that threat actors leverage to secure the compliance of their mark. Following our own digital investigation, we provide an analysis of the extent to which sensitive data could have been illegally acquired by this method and consider the implications for LinkedIn users, businesses, and their employees. Finally, we provide advice and recommendations to reduce the likelihood of users falling victim to such attacks in the future.

Description of attack

Malicious actors were able to access the LinkedIn account of a high-profile businessman who occupied several Board positions, some governing companies and organisations of strategic UK national importance. Operating a ‘free’ LinkedIn account, the LinkedIn user had in excess of 2000 connections, a significant proportion of which occupied senior and highly influential roles in both government and industry.

Once the hacker had obtained access to the victim’s account, almost certainly with full visibility of their connections and messages, they were then able to send an InMail message – a LinkedIn function that allows users to send direct messages to other LinkedIn members that they’re not connected to – requesting the recipient’s ‘urgent’ review of a project proposal.

In reality,this was a phishing attempt: the InMail contained a malicious link which, once ‘clicked’, would attempt to trick the victim into providing login credentials, plainly an enabling step to commit other crimes.

What makes us take the bait?

‘Phishing’ is a tactic that utilises deception and other manipulation techniques in an attempt to acquire sensitive information from a target.Though most commonly associated with email communication,it can also be achieved via other message delivery mechanisms.For a variety of reasons, social networking sites (SNS), such as Facebook, Twitter and LinkedIn, are particularly attractive to criminal ‘phishers’. For one, research has shown that within an SNS environment, users are much more easily deceived and thus more likely to fall victim to social engineering attacks [1]. With over 690 million users worldwide [2], each displaying to varying degrees of detail and openness (and credibility) their own professional resume, LinkedIn is a ripe hunting ground for cyber criminals, foreign intelligence services, and competitive intelligence operators.

As an act of malign persuasion, in whatever context, phishing is reliant on a number of factors.Chief among them in an SNS context is the principle of ‘liking’ – that we most prefer to comply with requests from people we “know and like” [3]. As a leading world authority on social engineering, Chris Hadnagy [4] summarises this principle with the tongue-twisting tenet: “People like people who are like them.People like people who like them”. This is all the more tangible on sites such as LinkedIn as users actively respond to posts and comments with‘reactions’, including a thumbs-up icon known as a ‘like’.

At least one study has shown that users receiving a phishing email seemingly from one of their friends were significantly more likely to “take the bait” than if the email had been received from an unknown sender [5]. This finding is likely to be just as relevant to the LinkedIn platform: a phishing message from a connection is more likely to deceive that recipient and secure their compliance. Though there are many reasons that have been found to determine individual susceptibility to phishing, interestingly, research suggests that narcissistic personalities are more vulnerable to phishing attempts, perhaps a consequence of their inherent overconfidence and impulsivity [6]. It might be assumed that susceptibility to be scammed correlates with lower intelligence; that only ‘stupid’ people can fall victim.In fact, quite the opposite has been found to be true: the more intelligent you are the more likely you are to trust others [7] [3].

There are numerous psychological processes that underlie the success of scams in securing our compliance.Commonly, they include: the exploitation of strong motivation factors, for example the prospect of increased wealth or improved health;the ability to invoke a misplaced sense of trust; the use of social influence techniques; and the perception of scarcity and urgency [8]. In her ground-breaking doctoral research, Martina Dove [9] developed a Susceptibility to Fraud Scale measuring: compliance; impulsivity; vigilance; the time invested in decision-making; and belief in justice. Not only did her research show that victims of fraud exhibit specific vulnerabilities, and that susceptibility to phishing attacks can be predicted, but also that those susceptible to fraud are more likely to exhibit the Barnum effect: the propensity for people to accept vague, generalised statements as accurate feedback of their own unique personality.It is perhaps then of no surprise that a foundational technique employed by self-proclaimed ‘psychic readers’ are Barnum Statements – “artfully generalised character statement[s] that most people will accept as reasonably accurate” [10].

In some sense, the role of a psychic is easier than that of many confidence artists when it comes to the put-up: the marks, in a certain respect, come preselected. Just by walking into the parlor, you’ve shown yourself to be open to belief and suggestion, and you’re obviously searching for an easy answer to your problem or situation. That’s true of other types of rackets as well. In the age of the Internet, it’s easier than ever to clear the first hurdle of the put-up: those who respond to false ads, emails, or other phishing schemes. Gone is the need to be psychologically savvy at first glance.All you need is to build an alluring storefront or craft a message that will hook your potential prey [11].

The propensity for social networking sites to being ‘breached’ by criminals looking to steal login credentials en masse presents a compelling practical reason for criminals to target such sites.The consequent likelihood of a user’s account being illegally taken over are far from fanciful – especially if the user reuses passwords across multiple sites and has overlooked the implementation of two-factor authentication(where available) to strengthen account security. Once a compromised account is under the control of the criminal, they can access the private user access-only areas of the SNS profile, and impersonate the user to trick and defraud others with relative ease – such as by sending carefully crafted messages as a means to deliver a malicious payload to their victim.

SNS message phishing can also circumvent some of the countermeasures implemented in email systems to detect and contain such scams before they arrive in a user’s inbox, including spam filtering and email authentication. However, a 2016 investigation by the security awareness training company KnowBe4 identified another dimension to this tactic. LinkedIn phishing InMails were found to generate email alerts that would deliver malicious links to a user’s external (LinkedIn-associated) email address, notwithstanding them being unknown to the attackers. Indeed, the researchers found that given the emails were delivered by LinkedIn’s own servers, it “virtually guaranteed that they would sail through most email security solutions” [12].

Technical investigation

The means by which the offenders gained access to the businessman’s LinkedIn account are not known.However, it was quickly established that the email address associated with his account was compromised in a 2012 data breach (made public four years later) that exposed the email addresses and passwords of c. 164 million users.It is possible that many users still use the login credentials compromised in this incident. Indeed, in one survey conducted in the aftermath of the breach, researchers found that less than half of participants changed their LinkedIn password having been notified that their account had been compromised [13]. Yet even where passwords have been changed, data breaches remain a source of highly valuable intelligence for threat actors.This is in part due to poor password management habits, there being evidence to suggest that up to 50% of users reuse the same password across multiple sites [14]. Therefore, if a password can be acquired via breach data, it may be a key that open’s multiple other doors for a hacker.

The link in the message received from the victim begins with ‘1drv.ms’: a URL-shortening mechanism used by Microsoft for files hosted on its OneDrive platform. There is, therefore, nothing obviously malicious about the appearance of the link.When a victim clicks on it, the link redirects automatically to open a document hosted on OneDrive, Microsoft’s cloud-based file hosting service. The file is accessible publicly, meaning no credentials are required to view it.

The file is a single page PDF document and several suspicious features can be noted. It purports to be a ‘Public Shared Document’ and displays what is seemingly the LinkedIn logo in two locations, perhaps to give the victim the impression that the file is protected using a (non-existent) service offered by LinkedIn.

There also appears to be a button with a drop-shadow in the middle of the page labelled ‘View Document’. But if the mouse pointer is placed anywhere over the document, the whole page is highlighted in a different colour, indicating that it is a link to another website. The target address is shown by the web browser in the bottom left hand corner of the screen.

It should be noted that a forensic investigation of the PDF file reveals that it did not contain any malware. However, other phishing attacks do exactly that: by downloading a PDF or other innocuous looking file, the victim is unwittingly causing malicious software to run on their device, such as keyloggers and banking trojans.

This page looks remarkably authentic. Many of the links on this page even point to legitimate Microsoft web pages, whereas others lead back to the same page or do not work at all. The key indicator that this is a fake page is the URL (appspot.com is a web application hosting service provided by Google). Furthermore, the browser indicates that this is an unsafe website with a red exclamation mark in the address bar. The ‘Office 365’ link in the middle of the screen takes the victim to a fake login screen.

Here the victim is invited to supply Microsoft account credentials. This page has a very convincing appearance, perhaps as a result of being cloned from an original Microsoft login page. But there are a couple of signs that this is not a legitimate website. Firstly, the address bar: once again, we can see the bogus URL and the warning in the browser’s address bar; a proper site would have had an address belonging to Microsoft and the browser would have shown a padlock confirming the site’s identity. The second clue is the 2019 copyright notice at the bottom of the page, which the attackers neglected to change.

In summary, the victim receives a supposedly urgent and mildly flattering LinkedIn message from a known associate containing a link to a document for review. That document in turn contains a link to a fake Microsoft Office 365 web page which invites the victim to enter credentials to view shared files. But doing so only results in those credentials being harvested by the attacker for further nefarious activities.

Access to a compromised Office 365 or other corporate account could serve as a gold mine to attackers.The ability to intercept conversations, access confidential documents and to identify and track other individuals are all very real possibilities. What’s more, acquiring this highly sensitive information could certainly enable further crimes, such as fraud and ransomware attacks. Not only may this lead to direct financial loss, but also the loss of confidential information and trade secrets, having a far more serious strategic impact on a business. The associated reputational damage this causes, as well as regulatory fines that could be imposed, could be disastrous for the initial phishing victim, their employer, and their wider network.

How to protect yourself

Always be wary of attachments in unsolicited messages.If you receive a message from a known contact, consider using another method of communication to reach the sender and confirm that the file or link is legitimate. This not only helps to keep you safe, but if the message is bogus you can help your contact to take action, without alerting the attacker.

When you do open an attachment, look out for signs such as unusual web addresses, grammar and formatting mistakes, strange logos and branding, and unnecessary prompts for personal information. Attackers don’t always make mistakes like these, but when they do, use them to identify harmful messages.

If you suspect that your account has been compromised, change your password immediately. This may not automatically log you out of active sessions on other apps or devices, so it is important to review those and disconnect them if necessary. This might also indicate any historic account access which weren’t authorised by you. This advice also applies to any email accounts which are connected to the compromised account.

Always use strong passwords, avoid password reuse, enable multi-factor authentication wherever possible and consider using a password manager. For further advice please refer to guidance from the National Cyber Security Centre.

Ensure that your devices and software are kept up to date with the latest security patches. Furthermore, it is very important that you report any breaches to your service provider, and where applicable to your local IT service administrator. This will allow them to take further steps to protect you and your colleagues.

Indicators of Compromise

• URL: hxxps://1drv[.]ms/b/s!AjAWbq0cfAxGeWyOYVa-UicZ5PM

• URL: hxxps://onedrive[.]live[.]com/?authkey=%21AGyOYVa%2DUicZ5PM&cid=460C7C1CAD6E1630&id=460C7C1CAD6E1630%21121&parId=root&o=OneUp

• URL: hxxps://pacific-formula-278007[.]du[.]r[.]appspot[.]com/home.html

• URL: hxxps://pacific-formula-278007[.]du[.]r[.]appspot[.]com/off365.html?payment+codeAAQkADUyYzNhODUwLTAwNzYtNGE2YS04YWQ1LWI2Yjg5MWY5NzM2ZAAQADKpx%2Blv1KxDr2OE5uAPrZw%3D#

• IP Address: 108[.]177[.]111[.]153

• File hash (MD5): 53fdbb76d6ade929ea411492aebb0ff0 (P-PROPOSAL.pdf)

• File hash (SHA-1): d3293a9ab2af019142ff2f246d9605ea2304e02c (P-PROPOSAL.pdf)

• File hash (SHA-256): 0d9aea00d85f596500960ed8967e8ead1126c5b6d9fe2fe5735d1b76a721d993 (P-PROPOSAL.pdf)

References

[1] M. Silic and A. Back, “The dark side of social networking sites: Understanding phishing risks,” Computers in Human Behavior, vol. 60, pp. 35-43, 2016.
[2] “About LinkedIn,” [Online]. Available: https://about.linkedin.com/. [Accessed 3 June 2020].
[3] N. Carl and F. C. Billari, “Generalized trust and intelligence in the United States,” PloS one, vol. 9, no. 3, 2014.
[4] C. Hadnagy, in Social Engineering: The Science of Human Hacking, 2nd Edition, Indiana, Wiley, 2018, p. 146.
[5] T. N. Jagatic, N. A. Johnson, M. Jakobsson and F. Menczer, “Social Phishing,” Communications of the ACM, vol. 50, no. 10, pp. 94-100, 2007.
[6] S. R. Curtis, P. Rajivan, D. N. Jones and C. Gonzalez, “Phishing attempts among the dark triad: Patterns of attack and vulnerability,” Computers in Human Behavior, vol. 87, pp. 174-182, 2018.
[7] M. Hooghe, S. Marien and T. de Vroome, “The cognitive basis of trust. The relation between education, cognitive ability, and generalized and political trust,” Intelligence, vol. 40, no. 6, pp. 604-613, 2012.
[8] P. Fischer, S. E. Lea and K. M. Evans, “Why do individuals respond to fraudulent scam communications and lose money? The psychological determinants of scam compliance,” Journal of Applied Social Psychology, vol. 43, no. 10, pp. 2060-2072, 2013.
[9] M. Dove, “Predicting Individual Differences in Vulnerability to Fraud,” University of Portsmouth, 2018.
[10] I. Rowland, The Full Facts Book of Cold Reading, Ian Rowland Limited, 2002.
[11] M. Konnikova, in The Confidence Game: The Psychology of the Con and Why We Fall for It Every Time, Edinburgh, Canongate, 2016, p. 77.
[12] E. Howes and R. Falke, “The LinkedIn Phishing Attack: How They Did It,” 11 November 2016. [Online]. Available: https://blog.knowbe4.com/the-linkedin-phish-how-they-did-it. [Accessed 3 June 2020].
[13] J. H. Huh, H. Kim, S. S. Rayala, R. B. Bobba and K. Beznosov, “I’m too busy to reset my LinkedIn password: On the effectiveness of password reset emails,” Proceedings of the 2017 CHI Conference on Human Factors in Computing Systems, pp. 387-391, 2017.
[14] A. Das, J. Bonneau, M. Caesar, N. Borisov and X. Wang, “The tangled web of password reuse,” in NDSS Symposium 2014, San Diego, 2014.

At a time when many of us are working from home, it is especially important to stay vigilant online. Sign up to our newsletter to receive the latest news and digital insights from CCL Group.

Sign up to receive the latest news and insight from CCL Group.

Notice: JavaScript is required for this content.