LinkedIn users are receiving messages from scammers posing as trusted contacts, using compromised LinkedIn accounts in the targets’ network of contacts. The message suggests that the targeted person should open a document that has been shared with them through Onedrive. Instead of the link taking the user to the Onedrive document, it directs instead to a compromised website. A redirection script is used on the hacked server to reroute the request to a second compromised server when the link is clicked. The URL then redirects to a phony Microsoft Office 365 login page, where the targeted user is asked to input their login credentials. An employee from Sophos received a phishing message on LinkedIn that read “Hi, Hope all is well? I have shared a document with you via Onedrive, please see the shared document.” After being suspicious, he and his team at Sophos took a deeper look at the URL and found that it redirected to a site that belonged to an entertainer, which had been compromised. The second compromised server belonged to a business in Mexico, but it seemed as if they were already aware of the scam and that they removed the harmful content. Any of the subdomains that were used as redirects as well typically led to dating sites. “Nevertheless, the redirection script provided the crooks with a general-purpose mechanism for running a range of different spamming, phishing and scamming campaigns at the same time, with the target site determined by the URL that the crooks used each time,” stated the team at Sophos.
When evaluating a Managed Detection & Response (MDR) service there are 5 critical components that