Cybercriminal attacks on social media user accounts to gainaccess to user credentials are becoming more refined andsophisticated. Comodo Threat Research Lab recently thwarted anattack aimed at LinkedIn users.

“This attack demonstrates how sharply cybercriminals raise the complexity of theirattacks. For example, this attack merged cybertechnologies andmanipulative psychology,” says Fatih Orhan, head of the Clifton,N.J. based Comodo Threat Research Lab. “This trend will definitelyincrease, making the landscape of online security increasinglydangerous. The cybersecurity community must be prepared for attackssuch as these. Comodo clients did not suffer from this attackbecause Comodo software blocked the phishing emails, preventing theemails from reaching their intended targets.”

Comodo Threat Research Lab discovered that the latest attack wasfrom two IPs: one from British Columbia, Canada and the other fromThailand. The attack started on February 1, 2018.

Phishing email tricks, often based on deception, play a primaryrole in these attacks. There were 14 emails sent from the emailaddress [email protected] (an inactive domain) with each emailaddressed to a different user during January. The email imitated astandard LinkedIn message that a user receives when another userwants to connect.

While it did resemble a LinkedIn message, there wereinconsistencies. The email addresses in the “From” and “Reply”fields were not actual LinkedIn email addresses. It also had theLinkedIn logo and familiar design, including the “View profile” and“Accept” option.

Once the user clicked an option they received redirection to apage that looked like the official LinkedIn sign in page, puttingthe user one-click away from a new perspective contact on LinkedIn.The link led to a page similar the official LinkedIn URL, butinstead was a phishing site created by cybercriminals to stealLinkedIn user credentials. If users submitted their login andpassword, the credentials went right into the wrong hands.

“Cybercriminals hunt for credentials because it is a powerfulspringboard for further malicious activity. They can use accountinformation to support a multitude of criminal activities,including fraud, identity theft, even terrorism propaganda,” Orhansaid.

Cybercriminals also try to use stolen credentials to break intoother accounts, including online banking. They know most people usethe same password for different accounts and obtain additionalprivate information about users to aid in future spearphishing orsocial engineering attacks.

LinkedIn is a major interest for cybercriminals because it isthe place of vibrant business activity. A huge number of potentialtargets exist on LinkedIn, such as high-ranking C-level employeesat leading companies.

Comodo detailed some LinkedIn attack tricks:

• First, the users can click on the malicious link only one time,the URL then expires and the phishing page disappears. ComodoThreat Research Lab believes this is a trick cybercriminals use tocover their tracks, allowing them to remain undetectable for longerperiod.
• Secondly, a special feature of this attack is the socialengineering approach. Comodo experts found similar phishing emailattacks imitate senders from Kuwait and Saudi Arabia. This is apsychological trick, as many people in business world associatethese countries with wealth, which increases chances the user takesthe bait.
• Additionally, the phishing email imitated a real LinkedInmessage and used the name of the company and person with an accounton LinkedIn. These cybercriminals take it a step further, usingwebsites to support the phishing message.