LinkedIn users are receiving messages from scammers posing as trusted contacts, using compromised LinkedIn accounts in the targets’ network of contacts. The message suggests that the targeted person should open a document that has been shared with them through Onedrive. Instead of the link taking the user to the Onedrive document, it directs instead to a compromised website. A redirection script is used on the hacked server to reroute the request to a second compromised server when the link is clicked. The URL then redirects to a phony Microsoft Office 365 login page, where the targeted user is asked to input their login credentials. An employee from Sophos received a phishing message on LinkedIn that read “Hi, Hope all is well? I have shared a document with you via Onedrive, please see the shared document.” After being suspicious, he and his team at Sophos took a deeper look at the URL and found that it redirected to a site that belonged to an entertainer, which had been compromised. The second compromised server belonged to a business in Mexico, but it seemed as if they were already aware of the scam and that they removed the harmful content. Any of the subdomains that were used as redirects as well typically led to dating sites. “Nevertheless, the redirection script provided the crooks with a general-purpose mechanism for running a range of different spamming, phishing and scamming campaigns at the same time, with the target site determined by the URL that the crooks used each time,” stated the team at Sophos.
Analyst Notes
It is important to be alert for suspicious messages that direct you to enter your password on a website, even when a trusted contact appears to have sent the message. Pay careful attention to the website address of the login page and double-check that it really belongs to the service you think you are about to log in to. Many times, scammers will make typos or mistakes in their messages which should set off a red flag. If the message received comes from someone you know or are in regular contact with but seems suspicious, they should be contacted by a phone call or another channel to verify that they are the ones that sent the message. This is also a great time to remind people that 2FA and strong passwords will greatly reduce the chance of their accounts being compromised and used to carry out campaigns of this nature.
