Contents:
Heimdal™ Security’s Incident Investigation and Response Department have recently discovered a new phishing campaign that aims to compromise LinkedIn accounts. The intel gathered so far, suggests that the malicious operation indiscriminately targets business and personal accounts in an attempt to harvest Microsoft login credentials. To date, no identity cases have been registered. Heimdal Security™ will continue to monitor all online channels.
Overview
Coined the LinkedIn OneDrive Phishing Campaign, the malicious actors behind the latest credential-stealing operation are using fabricated LinkedIn profiles to get in touch with their victims. In 80% of cases, the malicious actors aimed at business owners or decision-makers. The lure is a Microsoft Word document shared via OneDrive (private session).
Once the victim performs a click or tap action on the OneDrive link, the browser will redirect him/her to the fraudulent OneDrive page. Regardless if you’re signed in or not, the fake platform will require you to input your credentials (username & password associated with your Microsoft account) to read and/or commit changes to its contents.
Forensic analysis performed on domain and accounts has yielded no actionable intel – ‘burner(able) LinkedIn accounts’, no registrar info on Who.is and the names appended to the malicious accounts appear to have been generated with some sort of online tool.
LinkedIn OneDrive Phishing Campaign – In-Depth Analysis
Outlined here, are the results of Heimdal™ Security’s probing into the Linked OneDrive Phishing Campaign case.
The LinkedIn user (business or personal profile) receives a message. In the observed cases, it’s from a person outside the user’s network. The message reads as follows:
I hope all is well? I have shared a document with you via Onedrive, please see the shared document.
iradistributiontrade.blog.ctk.at
Regards.
(Translated from Danish)
Upon click or tap action, the user is redirected to another website: https://server.skicoupons.com/investment (domain blocked and sanitized by Heimdal™ Security). The first bounce leads the user to what appears to be a OneDrive dashboard.
An outward examination of the cloned OneDrive UI reveals no actionable information: it’s almost identical to Microsoft OneDrive’s official dashboard. However, all the buttons and hyperlinks only have an aesthetical function – if the user clicks or taps on any of the buttons and/or hyperlinks, a second redirect will occur, leading the user to what appears to be a Microsoft account login screen.
Despite having the same ‘demeanor’ as Microsoft’s Sign In page, this is a credential-stealing form. As I’ve mentioned, the user will be redirected to the Microsoft account login page even if he’s signed in.
Upon entering the requested credentials (email, phone number or Skype handle and Microsoft password), the user will again be redirected, but, this time to an error page. Attempts to reproduce the steps leading to the Microsoft account compromise led to two distinct versions. During the first round, the redirect page returns a type 404 error. The subsequent attempt called up a blank browser page.
To recapitulate: user receives a message on LinkedIn containing the phishing link → user redirected to fake OneDrive dashboard →after opening the file “Business Innovation.docx”, the user is, once again, redirected to a fake Microsoft account login page → user inputs credentials and clicks on “Log in” → third redirect to blank or 404 page.
How to protect your endpoints against phishing attempts
To safeguard your endpoints and network against the latest phishing campaign, prevention is of the utmost importance. Here are some more pointers on how to boost your company’s cyber-resilience.
Learn how to identify phishing attempts
Differentiating phishing pages from legitimate ones may be difficult since they are made to be this way, but not impossible. Take this case, for example, the Microsoft login page looks authentic, until you take a closer look at the address bar.
This is how the malicious address looks like:
https://server.skicoupons.com/investment/login.php
versus an authentic Microsoft account sign-in link:
https://login.microsoftonline.com/common/oauth2/authorize?client_id=4345a7b9-9a63-4910-a426-35363201d503&redirect_uri=https%3A%2F%2Fwww.office.com%2Flanding&response (…)
As you can see, several key elements are missing: Microsoft’s domain, oauth2 access standard for access delegation, redirect URL etc.
Other tell-tale signs you should look out for: HTTPS certificate, spelling mistakes in displayed content, AV/AM solution alerting you to opening an unsecured connection, popups that don’t make sense.
Install an appropriate anti-phishing solution
Regular antivirus solutions may not detect phishing attempts. Sophisticated phishing campaigns, use various masking techniques to avoid detection. Second-gen malware requires a different approach – DNS and HTTPS filtering. Heimdal™ Threat Prevention, Heimdal™ Security’s threat-hunting solution can detect any change in network traffic, sever the connection to the malicious server, and prevent the phishing page from loading.
Heimdal® DNS Security Solution
- Machine learning powered scans for all incoming online traffic;
- Stops data breaches before sensitive info can be exposed to the outside;
- Advanced DNS, HTTP and HTTPS filtering for all your endpoints;
- Protection against data leakage, APTs, ransomware and exploits;
Apply common sense when using LinkedIn (or any other business-research instruments)
As always, everything boils down to common sense: if you receive a message from a person outside your network, it’s only logical to exercise a modicum of caution: don’t click on embedded links or share your personal information.
Wrap-up
So far, no victims have been reported in the wake of the LinkedIn OneDrive phishing campaign. The best ways to protect yourself against this credential-stealing is vigilance and a proper antivirus/antimalware solution.