LinkedIn users are being targeted via a new phishing campaign which is aiming to get Microsoft login credentials of finance leaders. The attackers are ditching the usual phishing emails and using a new sophisticated method to target high value individuals.
The victims are first contacted via a direct message on LinkedIn from a seemingly legitimate looking profile. The attacker sends what is claimed to invitation for executives to join the executive board of a newly created “Common Wealth” investment fund.
“I’m excited to extend an exclusive invitation for you to join the Executive Board of Common Wealth investment fund in South America in partnership with AMCO – Our Asset Management branch, a bold new venture capital fund launching a Investment Fund in South America,”
The offer sounds prestigious and high value in essence, tempting the target to look forward to a career milestone. The real scam, however, begins from here as the message also contains link to a document or a proposal which the victim needs to review in order to accept the position.
Clicking on the link takes the user through a series of redirects first via Google Search then through an attacker controlled site and finally to a custom landing page hosted on firebasestorage.googleapis[.]com. Upon clicking on one of the document links on the page, the victim is asked to view the document with Microsoft.
The user is then taken to a custom designed adversary-in-the-middle (AiTM) phishing page which mimics the look of an official Microsoft login screen. Enterin the credential and the completing the check in on this page would result in the credentials being stolen by the attacker.
The campaign was unearthed by Push Security which says that it recently detected and blocked a high-risk LinkedIn phishing attack.
“Attackers are using common bot protection technologies like CAPTCHA and Cloudflare Turnstile to prevent security bots from accessing their web pages to be able to analyse them (and therefore block pages from being automatically flagged),” Push security said in a blogpost
The company also stated that phishing campaigns are now moving from primarily email targets to social media apps which means organizations should be on guard against this kind of attack vector.
“Just because the attack happens over LinkedIn doesn’t lessen the impact — these are corporate credentials and accounts being targeted, even if it is nominally a “personal” application. Taking over a core identity like a Microsoft or Google account can have wide-ranging consequences, putting data at risk in both core apps and any downstream apps that can be accessed via SSO from the compromised account.” Push security warned