Social media is designed of course to connect, but legitimate modes of doing so can be abused. One such case of abuse that’s currently running involves Linktree, a kind of meta-medium for social media users with many accounts. If you’re unfamiliar with Linktree, which, we stress, is a legitimate service, here’s how the company describes what it will let you do. “Connect your TikTok, Instagram, Twitter, website, store, videos, music, podcast, events and more,” Linktree says. ”It all comes together in a link in a bio landing page designed to convert.” And you can “Get started for free.”
Researchers at Avanan have found that criminals are using Linktree as a means of contacting people whom they subsequently induce to give up their credentials. It’s an impersonation scam with a phishing email as the initial attack vector. “In this attack,” Avanan writes, “hackers are creating legitimate Linktree pages to host malicious URLs to harvest credentials.”
“In this attack, end-users get an email with a spoofed Microsoft OneDrive or Sharepoint notification that a file has been shared with them, instructing them to open the file.” The URL the recipient is directed to follow is superficially plausible, but on closer inspection can be seen as the imposter it is.
“The URL in the email redirects victims to the Linktree page. Here the hacker has built a simple button that redirects them to the third and final page. Finally, the user is redirected to this fake Office 365 login page, where they are asked to enter their credentials. Of course, that's where those credentials will be promptly stolen.”
It’s another case of a legitimate service being abused in ways that typically evade detection by technical screens. It’s Linktree, right? What could go wrong? Seems legit. This is another case in which new school security awareness training can train users to be alert to the possibility of scams. An aware user is the ultimate defense against social engineering.
Avanan has the story.
Here's how it works:
