{"id":42861,"date":"2021-11-10T06:00:41","date_gmt":"2021-11-10T11:00:41","guid":{"rendered":"https:\/\/www.kaspersky.com\/blog\/?p=42861"},"modified":"2021-11-10T06:00:41","modified_gmt":"2021-11-10T11:00:41","slug":"linkedin-phishing","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/linkedin-phishing\/42861\/","title":{"rendered":"Fake LinkedIn notifications"},"content":{"rendered":"

Have you disabled annoying e-mail notifications from social networks? We think that\u2019s great! We even periodically offer advice on how to cut down on digital noise<\/a>. But LinkedIn is a special case. People really do expect messages from the social network for professionals \u2014 one could be from a prospective employer or business partner, after all. But a message from LinkedIn might just as easily come from a scammer pretending to represent a legitimate company. In this post, we\u2019re taking apart some phishing e-mails masquerading as LinkedIn notifications.<\/p>\n

\u201cI am a bussinessman and am interested in doing business with you\u201d<\/h2>\n

On the face of it, this type of e-mail looks like a typical partnership proposal. It includes the photo, position, and company name of the potential \u201cpartner,\u201d and even a LinkedIn logo. The message is too short, though, and one might expect the word \u201cbusinessman\u201d to be spelled correctly in a legitimate message. You may also see that the message came from \u201cLinkediinContact\u201d \u2014 note the extra \u201ci\u201d \u2014 and the sender\u2019s address has nothing to do with LinkedIn.<\/p>\n

\"E-mail<\/a>

E-mail purportedly from LinkedIn proposing cooperation with an Arab businessman<\/p><\/div>\n

The link in the e-mail leads to a website that looks similar to the real LinkedIn login page.<\/p>\n

\"Phishing<\/a>

Phishing LinkedIn login page<\/p><\/div>\n

But the URL is far removed from LinkedIn\u2019s, and the domain is the Turkish .tr, not .com. If the victim enters their credentials on this site, the account will soon be in the hands of the scammers.<\/p>\n

\u201cPlease send me a qoute\u201d<\/h2>\n

A similar case is this message seemingly from an importer in Beijing, asking for a quote for the delivery of goods. The notification looks convincing; the message footer includes links to view help and unsubscribe from notifications, a copyright notice, and even the actual postal address of LinkedIn\u2019s China office. Even the sender\u2019s address looks like the real deal. Nevertheless, we see some red flags.<\/p>\n

\"E-mail<\/a>

E-mail purportedly from LinkedIn in which a Chinese buyer requests a quote. The sender\u2019s address looks clean, but that doesn\u2019t mean everything\u2019s in order<\/p><\/div>\n

For example, an article is missing in front of the word \u201cmessage\u201d in the subject line. The author may not speak fluent English, but the platform generates the subject of LinkedIn notifications automatically, so the subject can\u2019t contain errors.<\/p>\n

If you smell a rat and do a search for the company (UVLEID), you won\u2019t find it because it doesn\u2019t exist. And most important, the links in the e-mail point to a suspicious address in which random words, numbers and letters have been added to the name of the social network. The domain is again wrong, as well. This time it\u2019s .app, which app developers use.<\/p>\n

\"The<\/a>

The button points to a phishing site<\/p><\/div>\n

The \u201cLinkedIn login page,\u201d which the link opens, has issues: a blue square covering part of the last letter in the logo, and Linkedin instead of LinkedIn (under the username and password fields).<\/p>\n

\"arefully<\/a>

arefully check the URL of the site and the name of the social network<\/p><\/div>\n

\u201cYou appeared in 2 search this week\u201d<\/h2>\n

Links in fake notifications don\u2019t always open fake login pages \u2014 sometimes they can lead to more unexpected places. For example, this message saying that the recipient\u2019s profile has been viewed twice \u2014 common information for LinkedIn users to see \u2014 obviously uses bad English, but even if you miss that, a few other details should catch your attention:<\/p>\n

\"Unknown<\/a>

Unknown sender address and link to a site in a Brazilian domain<\/p><\/div>\n

With this kind of deception, if the victim misses the strange set of letters in the sender\u2019s address or the Brazilian domain, they may well click the button and get to an unexpected site \u2014 in our case, a \u201chow to become a millionaire\u201d online survey. After a few redirects, we ended up at a form asking for contact information, including phone numbers. The scammers most likely use the collected numbers for phone fraud<\/a>.<\/p>\n

\"Online<\/a>

Online survey with redirect for further data harvesting<\/p><\/div>\n

How to tell if a message from a potential partner or employer is fake<\/h2>\n

Cybercriminals use phishing to steal accounts, personal data, and money, but that is no reason to stop using LinkedIn or other services. Instead, learn how to guard against phishing<\/a>, and always keep these basic tips at the ready:<\/p>\n