{"id":89933,"date":"2021-05-28T17:25:17","date_gmt":"2021-05-28T11:55:17","guid":{"rendered":"https:\/\/blogs.quickheal.com\/?p=89933"},"modified":"2023-02-20T16:06:35","modified_gmt":"2023-02-20T10:36:35","slug":"linkedin-phishing-scam-hackers-target-users-with-fake-job-offers","status":"publish","type":"post","link":"https:\/\/www.quickheal.com\/blogs\/linkedin-phishing-scam-hackers-target-users-with-fake-job-offers\/","title":{"rendered":"LinkedIn Phishing Scam: Hackers target users with fake job offers"},"content":{"rendered":"

LinkedIn is a popular social networking platform that is focused on professional networking and the business community. On this platform, users are focused almost entirely on making connections and finding jobs. But things are not always as they seem. Of late, LinkedIn is emerging as one of the most popular social networking sites used by attackers for phishing attacks<\/a>.<\/p>\n

In one of the recent alleged breaches at LinkedIn, attackers claimed that \u201cScraped data of 500 million LinkedIn users being sold online, 2 million records leaked as proof\u201d. In this\u00a0data breach<\/a>\u00a0LinkedIn profiles, user IDs, email addresses, phone numbers, professional titles, job-related descriptions data were leaked. It is suspected that attackers use this data and harvest user credentials and other personal information with phishing attacks and more. Although the official statement from\u00a0LinkedIn<\/a>\u00a0on this data is that \u201cThis was not a LinkedIn data breach, and no private member account data from LinkedIn was included in what we\u2019ve been able to review<\/em>.\u201d<\/p>\n

While analysing such LinkedIn messages or emails, we observed that attackers are spear-phishing the victims with tiny or shorten URLs using the job description or details listed on the target\u2019s LinkedIn profile. When the unsuspecting victim clicks on the URL, the victim is redirected to phishing links and then to a fake Microsoft 0-365 login to harvest the credentials. In some cases, attacks have used links that download banking malware or backdoors on the victim\u2019s machine.<\/p>\n

Detailed flow diagram<\/strong><\/p>\n

\"\"<\/p>\n

Fig 1. Flow Diagram\u00a0<\/em><\/p>\n

 <\/p>\n

Sample Spam LinkedIn Message<\/h3>\n

Here is a sample LinkedIn message, which looks like a job offering message with a malicious link.<\/p>\n

\u201cHi there, I hope you are doing well! We have a personal project from a client I am presently taking on. It is still in the initial stages of follow-up. From your profile, we see your competencies could be useful. Kindly access this proposal via the link below and advice. (<\/em>tinyurl[.]com[\/]ndependentConsultantInTelecom<\/em>) We look forward to your prompt and positive response. Kind Regards, Independent Consultant in Telecom and IT Services Industry<\/em>\u201d<\/p>\n

While analyzing URL \u201ctinyurl[.]com\/LeaderatCiscoSystems<\/strong>\u201d redirected to a hardcoded one-drive link -><\/p>\n

\u201chttps[:]\/\/onedrive[.]live[.]com\/?authkey=%21AK44ek3RzZkt3sk&cid=25AEBC3DBC26A975&id=
\n25AEBC3DBC26A975%21120&parId=25AEBC3DBC26A975%21119&o=OneUp\u201d<\/div>\n

This link is then downloaded as a PDF file.<\/p>\n

 <\/p>\n

\"\"<\/p>\n

Fig 2. PDF file<\/em><\/p>\n

 <\/p>\n

Once we open the PDF file, it shows “view message folder” as a clickable link. Upon click, it redirects to<\/p>\n

https[:]\/\/motemoat[.]net\/proposal\/owa\/index.php, which further redirects to a long URL as given below:<\/p>\n

\u201chttps[:]\/\/motemoat[.]net\/proposal\/oWa\/1c7d4ce11e790d9a70714069a60fd205\/&(+y6+6==&=60~wuz9%5Ep0&))~%5Epzz&%5Eppzp=ke9p$=0=z~pwyeea0x%60|%5Ex=@+wpy9w&&+
\n6+wpkp&90w&=a~a=&+$p0.php?login=&.verify?service=mail&data:text\/html;js6\/main.jsp?sid=CAgbePXXjcVpfthPNgXXCcgDQZImqqTE&df=webmail126#module=welcome.WelcomeModule
\n%7C%7B%7D=default&ltmplcache=2&emr=1&osid=1#identifier\u201d<\/div>\n

The above URL shows a fake Microsoft<\/a> login page as below –<\/p>\n

\"\"<\/p>\n

Fig 3. Fake Microsoft Login Page<\/em><\/p>\n

 <\/p>\n

After adding credentials the first time, it shows an incorrect account or password.<\/p>\n

\"\"<\/p>\n

Fig 4\u2013 Showing incorrect account or password.<\/em><\/p>\n

After adding again, it shows the message \u201cYour account process is completed,\u201d here we can suspect that account credentials information gathering activity happens.<\/p>\n

\"\"<\/p>\n

Fig. 5 – Account Completed\u00a0<\/em><\/p>\n

Further, this redirected to the legitimate outlook page.<\/p>\n

The same PDF file has one more URL, which is the hyperlink to the word \u201cMessage\u201d “https[:]\/\/good354la354dsaporrpe.org\/proposal\/oWa\/index.php”.<\/p>\n

Another URL we analyzed \u201ctinyurl[.]com\/ndependentConsultantInTelecom\u201d<\/strong>\u00a0 This URL to redirects to a one drive link.<\/p>\n

\u201chttps[:]\/\/onedrive[.]live[.]com\/?authkey=%21AKHcqNAx%2D4BHzLg&cid=25AEBC3DBC26A975&id=25AEBC3DBC26A975%21124&
\nparId=25AEBC3DBC26A975%21123&o=OneUp\u201d<\/div>\n

 <\/p>\n

\"\"<\/p>\n

Fig. 6 – Document File\u00a0<\/em><\/p>\n

This link is also alive and downloads a doc file.<\/p>\n

Once the DOCX. the file is opened, it shows a link with the text “view message folder”. This link redirects to<\/p>\n

https[:]\/\/motemoat[.]net\/proposal\/owa\/index.php.<\/p>\n

On more URLs is a hyperlink to the word \u201cMessage\u201d “https[:]\/\/good354la354dsaporrpe.org\/proposal\/oWa\/index.php”.<\/p>\n

This URL is also down as of now. It\u2019s the same as the one found in the earlier PDF file variant.<\/p>\n

 <\/p>\n

\"\"<\/p>\n

Fig.7 – Embedded link on the text<\/em><\/p>\n

\u00a0<\/em><\/p>\n

About the URLs and their respective domains<\/h3>\n

1. “https[:]\/\/motemoat[.]net\/proposal\/oWa\/index.php”<\/p>\n

    \n
  • I.P:162.241.71.191<\/li>\n
  • Domain Name: MOTEMOAT.NET<\/li>\n
  • Admin City: Scottsdale<\/li>\n
  • Admin Country: US<\/li>\n
  • Admin Email: 77a661c69ce7e338s@domainsbyproxy.com<\/li>\n
  • Admin State\/Province: Arizona<\/li>\n
  • Creation Date: 2015-03-01T20:05:14Z<\/li>\n
  • Updated Date: 2021-03-02T08:14:32Z<\/li>\n
  • Name Server: NS39.DOMAINCONTROL.COM<\/li>\n
  • Registrant Country: US<\/li>\n<\/ul>\n

     <\/p>\n

    2. “https[:]\/\/good354la354dsaporrpe[.]org\/proposal\/oWa\/index.php”<\/p>\n

      \n
    • I.P :162.241.71.191 (same as above domain)<\/li>\n
    • Domain Name: GOOD354LA354DSAPORRPE.ORG<\/li>\n
    • Creation Date: 2021-04-30T01:56:00Z<\/li>\n
    • Updated Date: 2021-05-04T08:44:08Z<\/li>\n
    • Name Server: NS01.ONE.COM<\/li>\n
    • Registrant Country: GB<\/li>\n
    • Registrar URL: http:\/\/www.ascio.com<\/li>\n
    • Registrar: Ascio Technologies, Inc. Danmark – Filial af Ascio technologies, Inc. USA<\/li>\n<\/ul>\n

       <\/p>\n

      Tips to spot phishing attempts<\/h2>\n

       <\/p>\n

        \n
      • Verify the Message or sender\u2019s account details, email IDs, name, etc., as possibly some known LinkedIn connection\u2019s account, may have been hacked or credentials stolen and account misused.<\/li>\n
      • Be aware of fake 0-365 links as it is used for credentials harvesting. Always check the URLs\/domain in the links and the page. If it looks mismatched with the original, avoid visiting and putting any credentials on such phishing pages.<\/li>\n
      • Scan attachment files coming through the message or email even if it is coming from a trusted user.<\/li>\n
      • Any open document shared on LinkedIn should never ask for 0365 or mail credentials as both have no relation.<\/li>\n
      • Even if the scam and phishing emails don\u2019t ask you to avoid getting suspected immediately, they may still try to target the legitimate LinkedIn users\u2019 credentials harvesting.<\/li>\n
      • Message Content & Email format:\u00a0 Carefully read the nature of the email, intention, check grammatical errors & visual style, and verify email signature.<\/li>\n
      • The most recent LinkedIn-themed spam campaigns may differ, but their purpose remains the same, so keep your account secure with a strong password.<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"

        LinkedIn is a popular social networking platform that is focused on professional networking and the business community. On this platform, users are focused almost entirely on making connections and finding jobs. But things are not always as they seem. Of late, LinkedIn is emerging as one of the most popular social networking sites used by […]<\/p>\n","protected":false},"author":54,"featured_media":89941,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[146,303,1674,293,1772],"tags":[534,446,1819,147,72,25,50,613,162],"class_list":["post-89933","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-linkedin","category-phishing","category-scam-alert","category-spam","category-spear-phishing","tag-cybersecurity","tag-data-breach","tag-fake-job-offer","tag-linkedin","tag-microsoft","tag-phishing","tag-ransomware","tag-scam","tag-spam"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/89933"}],"collection":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/users\/54"}],"replies":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/comments?post=89933"}],"version-history":[{"count":10,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/89933\/revisions"}],"predecessor-version":[{"id":91469,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/89933\/revisions\/91469"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media\/89941"}],"wp:attachment":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media?parent=89933"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/categories?post=89933"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/tags?post=89933"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}