Skip links

LinkedIn Smart Links abused in evasive email phishing attacks

Share:

Facebook
Twitter
Pinterest
LinkedIn

Phishing actors are abusing LinkedIn’s Smart Link feature to bypass email security products and successfully redirect targeted users to phishing pages that steal payment information.

Smart Link is a feature reserved for LinkedIn Sales Navigator and Enterprise users, allowing them to send a pack of up to 15 documents using a single trackable link.

Besides its versatility, Smart Link provides marketing people with analytics, generating reports about who viewed the shared content and for how long.

Hence, phishing actors aren’t just using Smart Link for bypassing email security protections but can also gain insight into the effectiveness of their campaigns, allowing them to optimize their lures.

The new trend of Smart Link abuse for phishing was spotted by threat analysts at Cofense, who have observed campaigns targeting Slovakian users with bogus postal service lures.

(In)Secure redirection

The phishing email sent to targets supposedly originates from Slovenská pošta, the state-owned postal service provider in Slovakia, informing the recipient of the need to cover costs for a parcel that’s pending shipment.

Using email header trickery, the address appears legitimate to the recipient, but if examined closely, it becomes clear that the sender is actually “sis.sk@augenlabs.com”, entirely unrelated to the postal service.

Phishing email sample (Cofense)

The embedded “confirm” button contains a LinkedIn Smart Link URL, with added alphanumeric variables at its end to redirect the victim to a phishing page. (“linkedin[.]com/slink?code=g4zmg2B6”)

The redirection feature in Smart Links is typically used for promoting marketing pages, advertisements, etc., but threat actors abuse it to override security checks.

The presented shipment cost on the landing page isn’t high, set to a realistic €2.99, but the goal of the phishing actors isn’t to receive money but to steal the target’s credit card details, including the number, holder’s name, expiration date, and CVV.

The phishing webpage where victims are requested to enter their card details (Cofense)

Visitors who enter the information and click on “submit” will be informed that their payment has been received and eventually redirected to a final SMS code confirmation page with the sole purpose of sprinkling legitimacy in the process.

Bogus SMS confirmation step added for authenticity (Cofense)

While this still-ongoing campaign targets Slovakians, the abuse of LinkedIn Smart Link by phishing actors with a broader scope may be just a matter of time.

BleepingComputer has contacted LinkedIn to ask if they have plans to implement safeguards to prevent this abuse, but we have not heard back yet.

Adblock test (Why?)

Share:

Facebook
Twitter
Pinterest
LinkedIn
Explore
Drag