Hackers Still Abusing LinkedIn Smart Links in Phishing Attacks
Email security firm Cofense in 2022 uncovered a phishing campaign that abused LinkedIn’s Smart Links feature to redirect unsuspecting victims to malicious websites, another example of bad actors using a trusted source to bypass security measures and reach users.
At the time, hackers were using the phishing campaign to convince users that the Slovakian Postal Service was asking for shipping costs. Cofense analysts noted that “this is a very adaptable strategy due to [the] smart links LinkedIn features. … Threat actors abuse legitimate LinkedIn features with added unique alphanumeric variables at the end of the URL to redirect users to malicious websites.”
Almost a year later, bad actors were back at it again, using Smart Links in a large phishing campaign designed to steal Microsoft Office credentials from victims.
While abusing SmartLinks in phishing attacks is not new, the scope of the most recent campaign uncovered by Cofense was unusual.
“Cofense identified an anomaly of over 800 emails of various subject themes, such as financial, document, security, and general notification lures, reaching users’ inboxes across multiple industries containing over 80 unique LinkedIn Smart Links,” Nathaniel Raymond, a threat intelligence analyst with the firm, wrote in a report. “These links can come from newly created or previously compromised LinkedIn business accounts.”
What are Smart Links?
Smart Links were in introduced in 2016 are part of LinkedIn’s Sales Navigator service, giving users a way to share content on the social media platform. With Smart Links, users – including businesses – can add links to their profiles to point to their own websites, blogs, or other online or social media presence, enabling others to click on the links to those pages.
Business accounts can use Smart Links for driving traffic to their sites and for marketing and tracking by reaching out to other LinkedIn users. The Smart Links can track of who interacted with the messages and how they interacted.
Smart Links users can add custom tracking parameters to get a better idea where those clicking on those links are from, which can be useful to salespeople, business development teams, recruiters, and similar people.
“The Smart Link uses the LinkedIn domain followed by a ‘code’ parameter with an eight-alphanumeric character ID that may contain underscores and dashes,” Raymond wrote. “However, malicious Smart Links can include other parts of information, such as obfuscated victim emails.”
A Large Campaign
The latest campaign ran from July and August, with most of the targets in the finance, manufacturing, energy, construction, and health care industries, according to Cofense. Other sectors also were included, such as insurance, mining, consumer goods, and technology.
“Despite Finance and Manufacturing having higher volumes, it can be concluded that this campaign was not a direct attack on any one business or sector but a blanket attack to collect as many credentials as possible using LinkedIn business accounts and Smart Links to carry out the attack,” Raymond wrote.
The use of a trusted domain – in this case, LinkedIn – enables the phishing lures to get by secure email gateways, with the phishing emails using generic subject lines that address themes of financial, human resources, documents, security, and general notifications.
An Authentic Appearance
The attackers made the message seem more authentic on Microsoft login page by including the victim’s email address in the Smart Link.
If they click on the link in the mail, the user is sent either directly through a series of redirects to the phishing page, which will then instruct the user to log in using their Office credentials.
“The phishing pages are made to appear as generic and legitimate as possible … to encompass the large industry target spread,” Raymond wrote.
The phishing page, using the victim’s email address, will automatically fill it onto the login form, asking for the user to fill in their password, which then gives the threat actors the Microsoft credentials they’re looking for.
Noting that by abusing the Smart Links and using the trust given to the LinkedIn domain, the hackers can bypass the security gateway to land in the inboxes of their victims, Raymond wrote that while email security suites are still important, users must be alert about the potential threats coming at them through email.
“It is also essential for employees to constantly be up to date on their training to combat any phishing campaign,” he wrote. “Employees must be taught not to click links from emails that seem suspicious or unexpected.”
That’s becoming increasingly important, given the growing sophistication of such attacks, according to Vinay Pidathala, senior director of Menlo Security’s Menlo Labs.
“The misuse of LinkedIn Smart Links is a good example of how threat actors are evolving their tactics and techniques towards highly evasive threats to bypass existing defenses,” Pidathala said in an email to Security Boulevard.
Hackers don’t only use legitimate domains because they’re trusted by users, but also because “security vendors and their solutions embrace the concept of trust, meaning some websites can be trusted to never deliver maliciousness,” he said. “Therefore, attacks such as the one using LinkedIn Smart Links goes undetected by the typical security stack, significantly increasing the likelihood of successful attack execution.”
