+44 (0)203 88 020 88

Menu

Search

Cyber Security News & Articles

 

Cyber Security
News & Articles

Trusted Cyber Security Experts
25+ Years Industry Experience
Ethical, Professional & Pragmatic

LinkedIn the Top Phishing Brand in Q2 2022

Phishing is the most common cyber attack vector, and while email is well known for phishing, increasingly LinkedIn is being used as well. End-user phishing was the initial access point in 56% of cyber attacks that took place in 2021, according to a recent report. Phishing attacks rely on user interaction to trigger the initial access, such as clicking a web link in an email, or opening a malicious document sent as an attachment, which then delivers the initial payload.  

Business email compromise (BEC) is a form of phishing attack that uses social engineering to target specific victims. While broad phishing attacks can be easy to identify and unconvincing, BEC utilises specifically crafted emails and spoofed web pages to impersonate a particular individual or company. Check Point’s Brand Phishing Report for the second quarter of 2022 reveals the top 10 brands impersonated by cyber criminals in phishing attacks.  

LinkedIn was found to be the most impersonated brand, totalling 45% of all global brand phishing attempts. This is the second quarter in a row that LinkedIn have held the top spot, although impersonations of the social media site have dropped down from their previous majority of 52% in Q1 2022. The second most impersonated brand was Microsoft, at 13%, with delivery brand DHL in third place accounting for 12% of phishing attacks. Other well-known brand names such as Amazon and Google also appear in this list. 

In April, May, and June we observed that the social media platform LinkedIn continued its reign as the most imitated brand after entering the rankings for the first-time in Q1.  

CheckPoint’s Brand Phishing Report 

Top phishing brands in Q2 2022: 

  1. LinkedIn (45%) 
  1. Microsoft (13%) 
  1. DHL (12%) 
  1. Amazon (9%) 
  1. Apple (3%) 
  1. Adidas (2%) 
  1. Google (1%) 
  1. Netflix (1%) 
  1. Adobe (1%) 
  1. HSBC (1%) 

  

Recent impersonations of LinkedIn are not the only phishing-based incidents faced by this company, as a significant amount of phishing occurs on the site itself. The Centre for the Protection of National Infrastructure (CPNI), the National Technical Authority for the UK government, launched a campaign to combat phishing on LinkedIn last year, called ‘Think before you link’. This campaign and associated app were designed to help users identify and report fake profiles on social media sites.  

The malicious profiles used in this campaign were run by threat actors posing as employers or recruiters to gather intelligence from multiple targets. These attacks had a specific emphasis on UK and western nationals working in government who were targeted to reveal information about their current job role, including matters of national intelligence, in the guise of a fake interview process. The CPNI campaign highlights the hallmarks of these fake phishing profiles to aid users in identifying them. 

Additionally, WithSecure Intelligence Research published a report this week about an info-stealer malware known as ‘Ducktail’ that is believed to have used LinkedIn phishing attacks as a way to gain initial access. Ducktail is reported to have been in operation since late 2021, and is attributed to a Vietnamese threat actor who is suspected of conducting attacks since at least 2018. The intention behind this stealer malware is to take over Facebook business accounts that have advertising privileges.  

To do this, the threat actors used LinkedIn to target victims who had relevant information in their profiles that suggest they manage social media advertising for their company. These victims would typically have “digital media” or “digital marketing” listed as their job roles, and would then be manipulated through social engineering to download the initial payload from a cloud hosting service, such as Dropbox, iCloud, or MediaFire. This delivered the malware onto the host device as an archived file, with the malware executable (.exe file) disguised as a PDF document, and various JPEG files with names relating to the discussions the malicious actor would have had with the victim, presumably used to sell the scam. 

The EXE file containing the malware is a .NET Core, containing all of the dependencies needed to run on the infected device, regardless of whether or not the victim has previously installed .NET runtime. When the victim attempts to open this, the malware scans the web browsers on the device for cookies, to collect system information and Facebook credentials. Using a stolen session cookie, the malware can access the victim’s Facebook account and be authenticated, as the request and the session cookie are both coming from the victim’s browser.  

Once this access has been obtained, the malware gathers multiple access tokens to allow the threat actor to now access the compromised account from their own device. The information harvested to allow for this includes the victim’s IP address and geolocation data, as well as Facebook account information (name, email, birthday, user ID), multi-factor authentication codes, and session cookies. The malware also steals business-specific details from the account, including the advertising limit, users list, client list, and more. All of this stolen data is exfiltrated through Telegram bots.  

The threat actors can now use this stolen information to hijack the Facebook business account and add themselves as a fully-permissioned user. They can now replace the financial details to send themselves direct payments or use the money from the victim’s accounts to run their own Facebook Ad campaign. Because of this, the Ducktail malware attacks are thought to be financially motivated. This malware attack can be protected against using Endpoint detection software, such as anti-virus software, that would alert the user to the malware’s presence on the device. However, the best defence is vigilance against fake LinkedIn profiles, to avoid falling for the phishing scam in the first place. 

 

 

Subscribe to our monthly newsletter today

If you’d like to stay up-to-date with the latest cyber security news and articles from our technical team, you can sign up to our monthly newsletter. 

We hate spam as much as you do, so we promise not to bombard you with emails. We’ll send you a single, curated email each month that contains all of our cyber security news and articles for that month.

Why Choose SecureTeam?

Customer Testimonials

“We were very impressed with the service, I will say, the vulnerability found was one our previous organisation had not picked up, which does make you wonder if anything else was missed.”

Aim Ltd Chief Technology Officer (CTO)

"Within a very tight timescale, SecureTeam managed to deliver a highly professional service efficiently. The team helped the process with regular updates and escalation where necessary. Would highly recommend"

IoT Solutions Group Limited Chief Technology Officer (CTO) & Founder

“First class service as ever. We learn something new each year! Thank you to all your team.”

Royal Haskoning DHV Service Delivery Manager

“We’ve worked with SecureTeam for a few years to conduct our testing. The team make it easy to deal with them; they are attentive and explain detailed reports in a jargon-free way that allows the less technical people to understand. I wouldn’t work with anyone else for our cyber security.”

Capital Asset Management Head of Operations

“SecureTeam provided Derbyshire's Education Data Hub with an approachable and professional service to ensure our schools were able to successfully certify for Cyber Essentials. The team provided a smooth end-to-end service and were always on hand to offer advice when necessary.”

Derbyshire County Council Team Manager Education Data Hub

“A very efficient, professional, and friendly delivery of our testing and the results. You delivered exactly what we asked for in the timeframe we needed it, while maintaining quality and integrity. A great job, done well.”

AMX Solutions IT Project Officer

“We were very pleased with the work and report provided. It was easy to translate the provided details into some actionable tasks on our end so that was great. We always appreciate the ongoing support.”

Innovez Ltd Support Officer

Get in touch today

If you’d like to see how SecureTeam can take your cybersecurity posture to the next level, we’d love to hear from you, learn about your requirements and then send you a free quotation for our services.

Our customers love our fast-turnaround, “no-nonsense” quotations – not to mention that we hate high-pressure sales tactics as much as you do.

We know that every organisation is unique, so our detailed scoping process ensures that we provide you with an accurate quotation for our services, which we trust you’ll find highly competitive.

Get in touch with us today and a member of our team will be in touch to provide you with a quotation. 

0

No products in the basket.

No products in the basket.