LinkedIn phishing attacks up 232% in February

Egress | 16th Feb 2022

Since February 1st, 2022, we have recorded a 232% increase in email phishing attacks which are impersonating LinkedIn. These attacks use display name spoofing and stylized HTML templates to socially engineer victims into clicking on phishing links and then entering their credentials into fraudulent websites.

Quick summary of these attacks

  • Vector and type: Email phishing
  • Technique: Display name impersonation
  • Payload: Phishing links to harvest credentials
  • Targets: Organizations in North America and the UK
  • Platform: Outlook 365
  • Bypassed secure email gateway: Yes

These attacks use webmail addresses with a LinkedIn display name. The phishing emails are sent from different webmail accounts that have zero correlation to each other. They use targeted subject lines associated with LinkedIn, including:

  • You appeared in 4 searches this week
  • You appeared in 9 searches this week
  • You have 1 new message
  • Your profile matches this job
  • Who’s searching for you online

The emails use multiple stylized HTML templates, including the LinkedIn logo, brand colors and icons.

Within the body of the email, the cybercriminal uses other well-known organizations’ names (including American Express and CVS Carepoint) to make the attacks more convincing. When clicked, the phishing links send the victim to a website that harvests their LinkedIn log-in credentials.

The footer features elements from LinkedIn’s genuine email footer, including their global HQ address, hyperlinks to unsubscribe and to their support section, and the recipient’s information.

What the attacks look like

The emails below demonstrate the variety in HTML templates and subject lines used by the attacks.

You can also see the LinkedIn display name spoofing, which is designed to hide the webmail accounts used to launch the attacks.

 

Two LinkedIn phishing emails from February 2022 that use display name spoofing and stylized templates, with Egress Defend anti-phishing alerts visible

Egress analysis

Current employment trends help to make this attack more convincing. ‘The Great Resignation’ continues to dominate headlines, and a record number of Americans left their jobs in 2021 for new opportunities. It is likely these phishing attacks aim to capitalize on jobseekers (plus curious individuals) by flattering them into believing their profile is being viewed and their experience is relevant to household brands.

While the display name is always LinkedIn and the emails all follow a similar pattern, the phishing attacks are sent from different webmail addresses that have zero correlation with each other. Currently, it is unknown whether these attacks are the work of one cybercriminal or a gang operating together.

The targets vary, covering companies in both North America and the UK, and operating within different industries. LinkedIn states it has over 810 million members in more than 200 countries, which provides an extensive victim pool for cybercriminals. Many professionals choose to include their corporate email address within their profile, and many regularly receive update communications from LinkedIn. Consequently, they could be more trusting of a stylized phishing email.

The cybercriminal(s) involved has likely used a legitimate LinkedIn email as their starting point for these attacks. They have used branded elements, including the current LinkedIn logo, to make the phishes more convincing.

The attacks we have seen are bypassing traditional email security defenses to be delivered into people’s inboxes. Without technology deployed within the mailbox to help them detect attacks, it can be difficult for individuals to avoid falling victim. You can see in the screengrabs provided that Egress Defend has alerted the recipient to the attack within their inbox. 

The takeaways

We advise organizations to examine their current anti-phishing securing stack to ensure they have intelligent controls deployed directly into people’s mailboxes.

Individuals should take extreme caution when reading notification emails that request them to click on a hyperlink, particularly on mobile devices. We recommend hovering over links before clicking on them and going directly to LinkedIn to check for messages and updates.