Select Page

Cyren Security Blog

LinkedIn Phish Kit

Scam Warning

by Kervin Alintanahin

Back in January, LinkedIn posted a warning about connection requests from individuals impersonating employees of a legitimate organization. These requests come from newly created accounts. If someone accepts the request, the attackers will have more access to the victim’s data. With this information, they can create specific spear-phishing emails/messages to deploy malicious payloads.

A more dangerous scenario is if another user’s account is hacked. Those who are connected to the victim could easily fall victim to phishing emails/messages since there is a sense of trust that they know the sender.

Usually, threat actors use a phishing\fake LinkedIn webpage to do the deed. They use a phish kit, which most of the time can be easily purchased online or by just modifying existing ones. They will set up the fake page using a compromised website or a legitimate hosting website using free accounts. The image below is an example of a LinkedIn phishing page generated from the kit. It is similar to the login page of the legitimate site.

Figure 1 Official LinkedIn login page

Figure 2 Malicious LinkedIn login page

Below is the code snippet of the phishing page redirecting the user to the legitimate LinkedIn website.

Interestingly, a php configuration file contains some emails that were documented by a user in GitHub with a name handle Neonprimetime. Its GitHub space was used to document phish kits. Please take note that the related data was dated back in 2019. It could be that the people behind such malicious activities are just recycling old resources.

The ease of setting up these phishing pages is one of the reasons they can do this on a regular basis. Thus, providing the bad actor with more chances of their attacks being successful.

Best Practice and Recommendation

Users are advised to be mindful of who they add to their social networks and be aware of phishing messages, especially the ones with links. Make sure to carefully verify and check that it will lead to a legitimate website. For businesses, timely threat intelligence can be useful but real-time analysis is proving to be a game changer.

IOC:

hxxp://e-tanam[.]dishut.jabarprov.go[.]id/scripts/services/www.login.linkedin.com/sign-in/lin/index.html
hxxp://melbourneitservicecentre[.]com.au/www/mynetwork/comm/linkedin.com/sign-in/lin/index.html
hxxps://eco-consult[.]uz/.well-known/www.linkedin.com/comm/mynetwork/linkedin.com/sign-in/lin/index.html
hxxp://eco-consult[.]uz/.well-known/www.linkedin.com/comm/mynetwork/linkedin.com/sign-in/lin/index.html
hxxp://radioparallax.com/data/linkedln_puzo.zip
hxxp://uniquegaragedoorsbydylan.com/wp/lin.zip

Files:

6d8a3e6d3f0fce1850b54a656030e6fa0349612416bb7217123046f69635fa78 – JS/Phish.SC , PHP/Phish.M

References:

You might also like

Anti-Phishing Software Solutions: What Are They?

We live in a fully digital world, where daily communication and business correspondence is done over email. While a multitude of benefits has come from this dependence on digital communication like increased productivity and efficiency, one threat persists, and it’s...

What is the Difference Between Vishing & Phishing Attacks?

Phishing attacks are an extremely common way hackers can gain access to your businesses’ sensitive or confidential information. In fact, 74% of organizations in the United States experienced a successful phishing attack. Additionally, Google has registered 2,145,013...