Threat Actor Abuses LinkedIn’s Smart Links Feature to Harvest Credit Cards

A malicious campaign targeting Internet users in Slovakia is yet another reminder of how phishing operators often exploit legitimate services and brands to evade security checks.

In this case, the threat actors are leveraging a LinkedIn Premium feature called Smart Links to direct users to a phishing page to collect credit card information. The link is embedded in an email purportedly from the Slovak postal service and is a legitimate LinkedIn URL, so it is unlikely that secure email gateways (SEGs) and other filters are blocking it.

“In the case Cofense found, attackers used a trusted domain like LinkedIn to bypass secure email gateways,” said Monnia Deng, director of product marketing at Bolster. “The legitimate link from LinkedIn then redirected the user to a phishing website where they went to great lengths to make it appear legitimate, such as adding a fake text message authentication.”

The email also asks the recipient to pay an incredibly small amount for a package that is apparently awaiting delivery to them. Users tricked into clicking the link are taken to a page designed to look like one the Postal Service uses to collect online payments. But instead of just paying for the supposed package shipment, users also end up giving away all their payment card details to the phishing operators.

Not the first Tine Smart Links function has been misused

The campaign is not the first time that threat actors have abused LinkedIn’s Smart Links feature – or Slinks, as some call it – in a phishing operation. But it marks one of the rare cases where emails containing doctored LinkedIn Slinks have ended up in users’ inboxes, said Brad Haas, senior intelligence analyst at Cofense. The phishing protection service provider is currently monitoring the ongoing Slovak campaign and this week issued a report on its analysis of the threat so far.

LinkedIn’s Smart Links is a marketing feature that lets users who subscribe to its Premium service direct others to content the sender wants them to see. The feature allows users to use a single LinkedIn URL to direct users to multiple marketing materials – such as documents, Excel files, PDFs, images and web pages. Recipients receive a LinkedIn link that, when clicked, redirects them to the content behind it. LinkedIn Slinks allow users to get relatively detailed information about who might have seen the content, how they might have interacted with it, and other details.

It also gives attackers a convenient – and very credible – way to redirect users to malicious websites.

“It’s relatively easy to create Smart Links,” says Haas. “The biggest barrier to entry is that it requires a Premium LinkedIn account,” he notes.”A threat actor would have to purchase the service or gain access to a legitimate user’s account. But other than that, it’s relatively easy for threat actors to use these links to send users to malicious websites, he says.”We’ve seen other phishing threats abuse LinkedIn Smart Links, but today it’s uncommon to see it in inboxes.”

Use of legitimate services

Attackers’ increasing use of legitimate software-as-a-service and cloud offerings such as LinkedIn, Google Cloud, AWS and numerous others to host malicious content or direct users to it is one of the reasons why phishing remains one of the primary initials. access to vectors.

Last week, Uber experienced a catastrophic breach of its internal systems after an attacker socially engineered an employee’s credentials and used them to access the company’s VPN. In that case, the attacker — identified by Uber as belonging to the Lapsus$ threat group — tricked the user into accepting a multifactor authentication (MFA) request by pretending to be from the company’s IT department.

Significantly, attackers are leveraging social media platforms as a proxy for their fake phishing sites. Also worrying is the fact that phishing campaigns have evolved significantly to not only be more creative, but also more accessible to people who can’t write code, Deng adds.

“Phishing occurs anywhere you can send or receive a link,” adds Patrick Harr, CEO of SlashNext. Hackers cleverly use techniques that avoid the most protected channels, such as corporate email. Instead, they choose to use social media apps and personal emails as a backdoor into the business. “Phishing scams continue to be a serious problem for organizations and they are moving to SMS, collaboration tools and social,” says Harr. He notes that SlashNext has seen an increase in requests for SMS and message protection as compromises involving text messages become a bigger problem.


Leave a Reply

Your email address will not be published.