A malicious campaign targeting Internet users in Slovakia is serving up another reminder of how phishing operators frequently leverage legitimate services and brands to evade security controls.
In this instance, the threat actors are taking advantage of a LinkedIn Premium feature called Smart Links to direct users to a phishing page for harvesting credit card information. The link is embedded in an email purportedly from the Slovakian Postal Service and is a legitimate LinkedIn URL, so secure email gateways (SEGs) and other filters are often unlikely to block it.
"In the case that Cofense found, attackers used a trusted domain like LinkedIn to get past secure email gateways," says Monnia Deng, director of product marketing at Bolster. "That legitimate link from LinkedIn then redirected the user to a phishing site, where they went to great lengths to make it seem legitimate, such as adding a fake SMS text message authentication."
The email also asks the recipient to pay a believably small amount of money for a package that is apparently pending shipment to them. Users tricked into clicking on the link arrive at a page designed to appear like one the postal service uses to collect online payments. But instead of merely paying for the supposed package shipment, users end up giving away their entire payment card details to the phishing operators as well.
Not the First Tine Smart Links Feature Has Been Abused
The campaign is not the first time that threat actors have abused LinkedIn's Smart Links feature — or Slinks, as some call it — in a phishing operation. But it marks one of the rare instances where emails containing doctored LinkedIn Slinks have ended up in user inboxes, says Brad Haas, senior intelligence analyst at Cofense. The phishing protection services vendor is currently tracking the ongoing Slovakian campaign and this week issued a report on its analysis of the threat so far.
LinkedIn's Smart Links is a marketing feature that lets users who are subscribed to its Premium service direct others to content the sender want them to see. The feature allows users to use a single LinkedIn URL to point users to multiple marketing collateral — such as documents, Excel files, PDFs, images, and webpages. Recipients receive a LinkedIn link that, when clicked, redirects them to the content behind it. LinkedIn Slinks allows users to get relatively detailed information on who might viewed the content, how they might have interacted with it, and other details.
It also gives attackers a convenient — and very credible — way to redirect users to malicious sites.
"It's relatively easy to create Smart Links," Haas says. "The main barrier to entry is that it requires a Premium LinkedIn account," he notes." A threat actor would need to purchase the service or gain access to a legitimate user's account. But besides that, it's relatively easy for threat actors to use these links to send users to malicious sites, he says. "We have seen other phishing threat actors abuse LinkedIn Smart Links, but as of today, it's uncommon to see it reaching inboxes."
Leveraging Legitimate Services
The growing use by attackers of legitimate software-as-a-service and cloud offerings such LinkedIn, Google Cloud, AWS, and numerous others to host malicious content or to direct users to it, is one reason why phishing remains one of the primary initial access vectors.
Just last week, Uber experienced a catastrophic breach of its internal systems after an attacker social engineered an employee's credentials and used them to access the company's VPN. In that instance, the attacker — who Uber identified as belonging to the Lapsus$ threat group — tricked the user into accepting a multifactor authentication (MFA) request by pretending to be from the company's IT department.
It's significant that attackers are leveraging social media platforms as a proxy for their fake phishing websites. Also troubling is the fact that phishing campaigns have evolved significantly to not only be more creative but also more accessible to people who can’t write code, Deng adds.
"Phishing occurs anywhere you can send or receive a link," adds Patrick Harr, CEO at SlashNext. Hackers are wisely using techniques that avoid the most protected channels, like corporate email. Instead, they are opting to use social media apps and personal emails as a backdoor into the enterprise. "Phishing scams continue to be a serious problem for organizations, and they are moving to SMS, collaboration tools, and social," Harr says. He notes that SlashNext has seen an increase in requests for SMS and messaging protection as compromises involving text messaging becomes a bigger problem.