Security News LinkedIn Phishing Campaign Pretends to Care for Your Security

Andra Zaharia

From Heimdal
Thread author
Verified
Jun 29, 2015
104
Now, phishing campaigns are nothing new. But I wanted to take the chance to "dissect" this one for the benefit of people who believe that it can't happen to them.

Did you know that 23% of email recipients open phishing messages and 11% click on attachments?

It may not sound like much, but these numbers are actually 3 times higher than average open and click rates for legitimate email marketing campaigns.

So we, the ones who see campaigns like these all the time and don't fall for them, should remember that there are many more people who click on things and comply with cybercriminals' demands without questioning them or thinking of the consequences.

Have you seen any other campaigns like this one lately?
 

Atlas147

Level 30
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 28, 2014
1,990
I've been receiving a normal amount of spam but recently there's been a spike and some of them are getting past my hotmail spam filter, specifically some regarding paypal that have been so well crafted I doubt an everyday user might be able to spot through the lies. Even the Phishing page (a fake paypal login which really looks like the real thing) has a very similar URL to paypal and has HTTPS which was one of a few things that threw me off.

Ran all the analysis through a sandboxed browser of course and sent the links to google and firefox in hopes that it helps inexperienced users spot the difference
 

Andra Zaharia

From Heimdal
Thread author
Verified
Jun 29, 2015
104
I've been receiving a normal amount of spam but recently there's been a spike and some of them are getting past my hotmail spam filter, specifically some regarding paypal that have been so well crafted I doubt an everyday user might be able to spot through the lies. Even the Phishing page (a fake paypal login which really looks like the real thing) has a very similar URL to paypal and has HTTPS which was one of a few things that threw me off.

Ran all the analysis through a sandboxed browser of course and sent the links to google and firefox in hopes that it helps inexperienced users spot the difference

The worst part, in my opinion, is that, while this is making the few of us paranoid about all emails, it doesn't touch the people who would blindly click on the links. And that's where we have our work cut out for us.
 

conceptualclarity

Level 21
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Aug 23, 2013
1,076
For me, it's important to be vigilant against phishing, because my experience with spam filtering is terrible. My ISP blocks so many legitimate emails I'm thinking about getting my email disconnected from it however I can. My ISP filter has not caught a single one of those emails about me winning lotteries I never entered or foreigners wanting to share their inheritances with me.

I turned off the ESET spam filtering shortly after installing Smart Security because I saw it was going to do the same thing. I receive many legitimate emails that I forward to friends that are blocked by their spam filters. So I pretty much feel to hell with spam filters.

Fortunately I don't get phishing too often, and I am learning to recognize it.
 

Dirk41

Level 17
Verified
Top Poster
Mar 17, 2016
797
Now, phishing campaigns are nothing new. But I wanted to take the chance to "dissect" this one for the benefit of people who believe that it can't happen to them.

Did you know that 23% of email recipients open phishing messages and 11% click on attachments?

It may not sound like much, but these numbers are actually 3 times higher than average open and click rates for legitimate email marketing campaigns.

So we, the ones who see campaigns like these all the time and don't fall for them, should remember that there are many more people who click on things and comply with cybercriminals' demands without questioning them or thinking of the consequences.

Have you seen any other campaigns like this one lately?


thank you for sharing.
could someone tell me how they manged to create https in a fake linkedin webpage? @Wave for sure you may know it :p
 
W

Wave

thank you for sharing.
could someone tell me how they manged to create https in a fake linkedin webpage? @Wave for sure you may know it :p
This phishing attempt is actually quite interesting and I honestly was not expecting it to be as well-carried out as it has been... However the entire phishing attack is relying on social engineering factors - if you are a strong person and are not easily led (e.g. you won't be taken over by some social engineering easily) then you will be safer however you can never fully protect yourself against social engineering due to how your human brain works, we are all human and somehow will become mistaken/mislead by information to cause us to perform actions. :p

The only thing you can do to protect yourself against social engineering is think before you do things and validate if things are genuine as best as possible. For example, don't open up e-mails found from your spam folder and don't click on any links from unexpected e-mails without making sure the e-mail is from a trusted sender (a large majority of malware infections are actually spread through e-mail and some of the worlds most damaging malware has been spread via e-mail in the past).

Without that being said, genuine companies like LinkedIn, PayPal, Google, Microsoft, your phone provider (etc) will NEVER request details such as credit card information, address information, driving license/ID information, or even your damns cat name over something like e-mail... They will always find a more appropriate and safer method of contacting you - and why would a company like LinkedIn ever need your ID/driving license? It's things like this you need to really think about.

Not being click-happy is a good defence against falling into social engineering traps, and thinking before providing sensitive information is very important. Would you go to a random stranger and tell them where you lived and what your credit card details were? No, you wouldn't, so never enter this information online unless it's on a trusted site with a valid purpose (e.g. purchasing an item from the genuine Amazon website which is secured via HTTPS).

Example of social engineering over the web:
For example, I could call up a service and claim to be a family member of the targets account I am trying to gain access too... To do this I would need basic information, and I would need to sound really confident. I can make up an excuse like "My brother is currently dealing with his child and wife" and then play some baby sounds or a women voice in the background of the speakers from a long distance (while keeping it heard from the phone so the person behind the phone on the other side ends up believing it). In the end you can social engineer them into modifying the account details of the target (e.g. the password). An example of something like this being done is demonstrated in this video: (the social engineering part with the women who calls up the company and tricks the phone service into believing she is the targets wife so they change the account credentials).

Example of social engineering in person:
For example, if I walked into a business work-place environment dressed like an I.T technician and walked up to the help-desk and acted like I worked at the work-place and started talking about server updates and security maintenance, chances are I would successfully gain permission from the man/women behind the help-desk to get physical access to their systems (which would then allow me to infect it with malware, walk out of the work-place, take off my plastic surgery disguise mask and carry on with my days :D).

All-in-all with lots of studying and practise it is relatively easy for a hacker to gain a good grasp with social engineering and use these tactics to attack individuals or even full businesses... Lots of damage can be done since it's exploiting a weakness in the individuals who receive the calls/e-mails/contact with the hacker to cause them to be mislead and perform actions of the hackers desire.


This phishing campaign evolves around social engineering from the minute the e-mail lands in the targets inbox...

The title of the e-mail implies it's from a trusted sender whereas the actual sender of the e-mail is not (and the e-mail wasn't even spoofed to make it look more reliable). The point of the title of the e-mail relating to LinkedIn is for the target to look at the e-mail and notice it due to the keyword "LinkedIn" (since most people know of this company and know it's a big social network), causing them to click on it.

Due to the user clicking on the e-mail they are then presented with the body text of the e-mail which is also based on social engineering... The text has been specifically crafted to help push the target into believing it is real and pressure them into performing the actions quickly (due to the time limit notice left behind). Then it follows on from there, if they fell for clicking the link then the chances are they will be social engineered into providing all the information the hacker requested!

Regarding the HTTPS websites being used in the phishing attack, the websites being used (Dropbox and LinkedIn) are actually the genuine versions, however they are being abused by the attacker to make it seem realistic... For example, the Dropbox link to the file may be part of a phishing attack however the actual Dropbox site is secure and therefore it's HTTPS (like the original - because it IS the original site being used), and for the LinkedIn part the attackers have modified the URL to cause the password reset page to show up (it'll show regardless of if you even use LinkedIn since it's aimed towards an existing account to make you believe it's genuine and real afterwards).

Even if the attackers didn't rely on the official version of Dropbox/LinkedIn (they could have made their own website following the same design and infringing it if they really wanted too), they could have bought an SSL signature for a cheap price from trusted vendors and had their websites being used for these attacks (with malicious intent) HTTPS secured (to make it seem more genuine and trusted - also part of social engineering).

Another example of different phishing attacks would be a software which claims to be a "PayPal Money Hack" or "PSN Gift Card Generator" where you as the target is requested to enter your account credentials - these are then forwarded back to the attacker and a popular method used by the hackers for this would be to send the information from the software back to the attacker via e-mail (reversing these hack tools usually allow you to even see the e-mail login credentials owned by the hacker, too).

Phishing attacks evolve mainly around social engineering since it's not the practise of the attacker silently stealing the information without
any user-interaction, it's the process of the user providing the interaction/the details which are then being sent over to the attacker.

could someone tell me how they manged to create https in a fake linkedin webpage? @Wave for sure you may know it :p
To answer this briefly, they didn't create it themselves, they used the genuine copies to trick the user into believing it was real. E.g. navigated to the genuine LinkedIn website and passed what you can call "parameters/arguments" to the web URL to cause it to go to the password reset page with preset values of the target account (which did exist) for the password reset page to show.

I know I started to mumble off on one about phishing in general, if I misunderstood your questions let me know and I'll try to understand it better the next time and focus on answering it strictly. :)
 

Dirk41

Level 17
Verified
Top Poster
Mar 17, 2016
797
no problem, I appreciate every single word :)
the paragraph about https is exatcly the explaination I was looking for :)


(today if i don't disable ublock origin i can't post here)
 
  • Like
Reactions: frogboy and Wave
W

Wave

(today if i don't disable ublock origin i can't post here)
I'm using uBlock Origin right now and MalwareTips is working perfectly fine, I recommend you contact @Jack to check if there are any conflicts with custom uBlock Origin settings whilst using this site (since I am using default settings). :)
 
  • Like
Reactions: frogboy

Dirk41

Level 17
Verified
Top Poster
Mar 17, 2016
797
thank you, don't bother I don't wanto to go OT (ublock origin costum filters but only in this thread it seems. i posted somewhere else and no problems. it seems something is kidding me XD . so strange. iphone did not open this thread, and PCs can't post with origin only in this thread)

well sorry for the OT, no problem. i live in a sandbox
 
  • Like
Reactions: frogboy and Wave

jamescv7

Level 85
Verified
Honorary Member
Mar 15, 2011
13,070
Phishing techniques like these are not surprising at all, they just recycle and improve to lure more users.

You cannot blame the website registrars to block those fraudelent sites, however that suppose eliminate the spams in majority if they insist too.

Email providers are also responsible to share our information to others hence result to receive ourselves with unknown mails.
 

conceptualclarity

Level 21
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Aug 23, 2013
1,076
For example, don't open up e-mails found from your spam folder and don't click on any links from unexpected e-mails without making sure the e-mail is from a trusted sender (a large majority of malware infections are actually spread through e-mail and some of the worlds most damaging malware has been spread via e-mail in the past).

Too bad that my current spam folder contains only trusted senders' emails and the stranger emails never go there. I have complained, to no avail.
 
  • Like
Reactions: frogboy

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top