Scammers are exploiting LinkedIn redirect links, or “Slinks,” to fool users and bypass email security filters, Brian Krebs reports. These links allow companies to track their marketing campaigns on LinkedIn, but they can be abused by criminals to create legitimate-looking URLs that redirect to phishing pages.
“The trouble is, there’s little to stop criminals from leveraging newly registered or hacked LinkedIn business accounts to create their own ad campaigns using Slinks,” Krebs says. “Urlscan.io, a free service that provides detailed reports on any scanned URLs, also offers a historical look at suspicious links submitted by other users. This search via Urlscan reveals dozens of recent phishing attacks that have leveraged the Slinks feature.”
Most of these phishing campaigns are after Microsoft account credentials, but Krebs adds that attackers could easily use this technique to trick users into handing over their LinkedIn credentials.
“KrebsOnSecurity couldn’t find any evidence of phishers recently using LinkedIn’s redirect to phish LinkedIn credentials, but that’s certainly not out of the question,” Krebs writes. “In a less complex attack, an adversary could send an email appearing to be a connection request from LinkedIn that redirects through LinkedIn to a malicious or phishous site. Also, malicious or phishous emails that leverage LinkedIn’s Slinks are unlikely to be blocked by anti-spam or anti-malware filters, because LinkedIn is widely considered a trusted domain, and the redirect obscures the link’s ultimate destination.”
Krebs concludes that users shouldn’t trust links in unsolicited messages, and they should pause and think before entering their credentials on a login page.
“The best advice to sidestep phishing scams is to avoid clicking on links that arrive unbidden in emails, text messages and other mediums,” Krebs says. “Most phishing scams invoke a temporal element that warns of dire consequences should you fail to respond or act quickly. If you’re unsure whether the message is legitimate, take a deep breath and visit the site or service in question manually — ideally, using a browser bookmark to avoid potential typosquatting sites.”
LinkedIn is so widely used in business networking that it touches most organizations in one way or another. New-school security awareness training can teach your employees to recognize social engineering tactics.
KrebsOnSecurity has the story.
Here's how it works:
