The ACMA cyber security team has observed a recent spate of phishing emails targeting the business-oriented social networking service LinkedIn. While at first glance they may appear to be relatively innocuous, falling victim to one of these phishes could have severe consequences for you and the company you work for.
The most common form of the phish is a simple email with the subject heading ‘LinkedIn’, containing:
Due to countless complains about identity theft and online fraud. We have decided to increase the level of our online security system so that your account can be protected from online fraud. You are required to verify your information to secure it from online fraud.
To secure your account Verify firstname.lastname@example.org .
Thank you for choosing LinkedIn.
Clicking on the ‘Verify’ link will take you to the following very realistic webpage, with the incorrect URL really the only obvious indicator this is a fake version of a LinkedIn webpage.
t is worth thinking about the consequences of entering the information requested by this webpage. Once you have provided your details the cybercriminals behind the fake webpage can then masquerade as you. They can email any of your LinkedIn contacts—including any of your contacts who work for the same company—from within LinkedIn and request information from them. Your LinkedIn contacts will assume the email has come from you.
Having access to your contact list and previous LinkedIn communications provides fertile material for undertaking sophisticated spearphishing campaigns—emails that target specific individuals. Cybercriminals can use your account information to craft targeted emails to one or more of your contacts containing information and references to previous communications that makes the email appear that it must have come from you.
Unfortunately many users reuse their login credentials on other services, particularly on social media services, which are often considered to contain less critical information. If this is your practice, obtaining your LinkedIn credentials may open up access to a wealth of other personal information that can be mined by cybercriminals.
If user credentials are entered into the fields on the fake LinkedIn sign in page, another webpage is presented to the user.
This webpage is much more likely to raise an alert with an internet user as it is requesting additional information not requested by the legitimate LinkedIn website, but it is clear that the cybercriminals are targeting business users through the fields presented on the page.
Who are the cybercriminals targeting?
Small and medium businesses are increasingly at risk of being compromised through spearphishing campaigns that have their origins in phishing emails like the one highlighted in this blog. According to the Symantec Intelligence Report, September 2015 of those companies targeted by spearphishing attacks in that month, 34.5 per cent were companies with employee numbers between one and 250. In August 2015 this figure was 78.4 per cent.
Cybercriminals don’t just attack the big end of town—they often focus on the most vulnerable targets. The United States National Small Business Association 2014 year-end economic report stated that half of all the small businesses they surveyed reported they have been the victim of a cyber-attack, with two thirds of these experiencing multiple attacks. And the average cost to each business was significant, at US$20,752 per attack, compared with US$8,699 in 2013. Small and medium businesses need to be vigilant in protecting their electronic information and not simply assume ‘it won’t happen to me’.
- never click on links in suspect emails—it’s just not worth it
- always check the authenticity of a website that requests your user credentials
- never reuse login credentials on any web service
- where available, use two-factor authentication on your accounts
- if you are a small to medium sized business, establish appropriate cybersecurity protections and educate your staff about the best practices to keep your data safe.
We have also advised LinkedIn of this phishing campaign. To see their advice, visit theirwebsite.
Educate yourself on ways to avoid having your personal information compromised by visiting the Australian Government’s Stay Smart Online website.
Subscribe to Cybersecurity news for the latest trends and updates from the Australian Internet Security Initiative, with a focus on malware and botnet activities.