Phishing continues to be a criminals’ favourite for harvesting user credentials with more or less sophisticated social engineering tricks.
Recently, LinkedIn and Wells Fargo have found themselves once again at the center of a cyber issue. The hackers are using compromised LinkedIn user accounts to send phishing InMails posing as a Wells Fargo document, to their contacts via private message but also to external members via email, in an attempt to steal credentials and personal information.
The campaign was first spotted by security researchers at cybersecurity firm Malwarebytes. Malwarebytes Senior Researcher Jerome Segura wrote in a blog that the current crop of phishing attacks use trusted accounts that were hacked, including Premium membership accounts that have the ability to contact other LinkedIn users (even if they aren’t a direct contact) via the InMail feature. The fraudulent message includes a reference to a shared document.
Like most phishing scams, the initial contact appears innocuous. Segura said the target receives an InMail stating:
I have just shared a document with you using GoogleDoc Drive
Most appear as if the LinkedIn user is sharing a Google Drive file with the victim and contain a malicious link, obscured by a URL shortener to hide its true destination. The link then redirects to a phishing site for Gmail and other email providers which require potential victims to log in. Those who proceed will have their username, password, and phone number stolen but won’t realize they were duped right away. Indeed, this phishing scam ends on a tricky note with a decoy document on wealth management from Wells Fargo.
URL shorteners are a well-known vehicle for spreading malware and phishing scams but they are also used for legitimate purposes, especially on social media where long URLs tend to be too cumbersome. In this attack, the perpetrators are abusing both ow.ly and a free hosting provider (gdk.mx) to redirect to the phishing page, itself hosted on a hacked website.