LinkedIn Phishing Investigation

Today one of our staff received a LinkedIn InMail message from a suspicious user suggesting a role at CK Hutchison Holdings. After investigating, the link utilized various attack techniques and in this blog post we will explore what this specific campaign looks like so that the wider audience can be made aware of such attacks.

LinkedIn Approach

The threat actor would approach targets by sending LinkedIn InMail messages with a like to "View Role & Schedule Call". See below:

Landing Page and Protection Mechanisms

The link is on a Microsoft domain - specifically customervoice.microsoft.com, which is used for surveys and custom pages. Within that page there is a link to "Details". See below:

The Details link points to a CloudFlare protected domain - very suspiciously displayed as https[://]oewxyqcu9[.]bsnqz[.]es/ejegkTBic!iZv/

The URL leverages CloudFlare's Bot protection mechanisms to prevent automated security scanning solutions. See below:

From our analysis the path is most likely a tracker. If connecting from a Microsoft IP address, or major VPN hosting provider the webpage redirects to https://www.target.com. Otherwise, it will continue into an Evilginx-looking Attacker-in-the-middle proxied Microsoft webpage - shown below:

It's most likely using Evilginx given the protection mechanisms are the same - from our experience.

Conclusions

• Remind employees to be wary of phishing attacks over platforms such as LinkedIn.

• Attackers are using CloudFlare, and IP address blocklists to prevent security solutions from scanning the phishing pages.

• Attacker-in-the-middle attacks are being used by threat actors.

References

Evilginx: https://evilginx.com/