Email phishing attacks impersonating Linkedin have increased by 232% since February 1 2022, according to Egress.
The cybersecurity vendor said this surge is linked to the so-called ‘Great Resignation,’ in which record numbers of employees are leaving their jobs and searching for new opportunities amid the COVID-19 crisis. For example, a record number of Americans left their jobs in 2021 for new opportunities.
Vast numbers of jobseekers use LinkedIn to find and apply for new positions, and the researchers revealed that cyber-attackers are increasingly leveraging the professional social networking site to socially engineer victims into clicking on phishing links and then entering their credentials into fraudulent websites.
The sophisticated attacks all follow a similar pattern – using webmail addresses with a LinkedIn display name – while the phishing emails are sent from separate webmail accounts that have zero correlation to each other. They also use subject lines similar to those used by the social networking site, including: ‘You appeared in 4 searches this week,’ ‘You have 1 new message,’ ‘Your profile matches this job’ and ‘Who’s searching for you online.’
In addition, the attackers are using multiple stylized HTML templates to make them appear genuine, such as the LinkedIn logo, brand colors and icons. The bottom of the message accurately mimics LinkedIn’s genuine email footer, with its global HQ address, hyperlinks to unsubscribe and to its support section and the recipient’s information.
Within the body of the email, other well-known organizations’ names are used, including American Express and CVS Carepoint. When the links are clicked, the victim is taken to a website that harvests their LinkedIn log-in credentials.
Egress said the attacks successfully bypass traditional email security defenses to reach people’s inboxes. Currently, it is unknown whether the attacks are being conducted by a single cyber-criminal or a gang operating together.
Egress VP of threat intelligence Jack Chapman explained: “Current employment trends help to make this attack more convincing. ‘The Great Resignation’ continues to dominate headlines, and a record number of Americans left their jobs in 2021 for new opportunities. It is likely these phishing attacks aim to capitalize on jobseekers (plus curious individuals) by flattering them into believing their profile is being viewed and their experience is relevant to household brands. While the display name is always LinkedIn and the emails all follow a similar pattern, the phishing attacks are sent from different webmail addresses that have zero correlation with each other. Currently, it is unknown whether these attacks are the work of one cybercriminal or a gang operating together.
“The targets vary, covering companies in both North America and the UK, and operating within different industries. LinkedIn states it has over 810 million members in more than 200 countries, which provides an extensive victim pool for cyber-criminals. Many professionals choose to include their corporate email address within their profile, and many regularly receive update communications from LinkedIn. Consequently, they could be more trusting of a stylized phishing email. The cyber-criminal(s) involved has likely used a legitimate LinkedIn email as their starting point for these attacks. They have used branded elements, including the current LinkedIn logo, to make the phishes more convincing.”
Responding to the findings, a LinkedIn spokesperson highlighted measures the firm have put in place to protect its members from such impersonation attacks: “Our internal teams work to take action against those who attempt to harm LinkedIn members through phishing. We encourage members to report suspicious messages and help them learn more about what they can do to protect themselves, including turning on two-step verification. To learn more about how members can identify phishing messages, see our Help Center here."
Yesterday, Barclays released new research on scams, which found nearly two-thirds (64%) of Brits would be more likely to comply with a request if it came from a high-profile institution.