Cybercriminals are targeting businesspeople with an elaborate phishing attack aimed at stealing sensitive data (opens in new tab) , including credit card and other payment information, researchers have found.
The attack also abuses a premium LinkedIn feature called Smart Link, which allows users of the social media site to send more than a dozen documents via a single link.
Not only is it more convenient, but it also allows the sender to keep track of how many people opened the link and files inside, how much time they spent with each file, etc. What's more, Smart Link allows users to redirect the recipients elsewhere.
Sharing key data
Researchers from Cofense discovered the attackers would send a phishing email pretending to be from Slovenská pošta, the Slovakian national postal service. The email would state that the recipient needs to pay a little extra to be able to receive a pending parcel. As usual, the email carries a "confirm" button, which is the LinkedIn Smart Link URL, and which redirects victims to the phishing page.
What makes this attack vector particularly dangerous is the fact that Smart Link is a legitimate feature and does not get flagged by email security products. When the victims click the button, they get sent to a page where they're asked to pay €2.99 – not a big sum, but money is not the goal here, anyway – data is.
On the page, victims need to share all kinds of sensitive data, including all the credit card details needed to make a payment. Finally, when all is complete, the victim is redirected to an SMS code confirmation page which, as researchers found, is only there to add legitimacy to the whole campaign.
LinkedIn has been notified of the malicious campaign abusing its services, and says it's currently investigating the matter.
In a statement to BleepingComputer , the company said: "Our internal teams work to take action against those who attempt to harm LinkedIn members through phishing. We encourage members to report suspicious messages and help them learn more about what they can do to protect themselves, including turning on two-step verification."
- Check out our list of the best antivirus (opens in new tab) tools right now
Via: BleepingComputer (opens in new tab)
- Study finds nearly half of all phishing sites now use SSL protection to trick users
- Study finds half of phishing sites now use SSL protection to trick users
- Half of all phishing sites display the padlock, making people think they're safe
- 'Hi, how can we scam you today?' -- Office 365 phishing site comes with live chat support
- LinkedIn acquires Glint to help users track employee engagement
- Which smart scales support multiple users?
- Microsoft shuts down phishing sites, accuses Russia of new election meddling
- Government dismisses study linking use of food banks to benefit cuts
- Protect Yourself Against Amazon Prime Day Phishing Scams
- Reeling us in: How phishing email scams keep getting smarter
- How Phishing Scams Are Evolving—And How Not to Get Caught
- How do cybercriminals use credential phishing attacks to steal vital business data?
- How do cyber-criminals use credential phishing attacks to steal vital business data?
- Phishing scams keep getting smarter, making them difficult to spot
- Porn-Lovers Got “Phished” 10 Times More In 2018: Report
- 10 Smart Home Innovations To Watch in 2019
- Vizio Claims Smart TVs Spy on You for Your Own Good
- LinkedIn Is Pivoting Harder Into Video
- The Benefits (and Limits) of Using Tech to Plan a Wedding
- 12 Free Sites To Watch TV Shows Online (Legally In 2019)
LinkedIn Smart Links are being used to send users to phishing sites have 622 words, post on www.techradar.com at September 23, 2022. This is cached page on TechNews. If you want remove this page, please contact us.