Phishing is the most common cyber attack vector, and while email is well known for phishing, increasingly LinkedIn is being used as well. End-user phishing was the initial access point in 56% of cyber attacks that took place in 2021, according to a recent report. Phishing attacks rely on user interaction to trigger the initial access, such as clicking a web link in an email, or opening a malicious document sent as an attachment, which then delivers the initial payload.  

Business email compromise (BEC) is a form of phishing attack that uses social engineering to target specific victims. While broad phishing attacks can be easy to identify and unconvincing, BEC utilises specifically crafted emails and spoofed web pages to impersonate a particular individual or company. Check Point’s Brand Phishing Report for the second quarter of 2022 reveals the top 10 brands impersonated by cyber criminals in phishing attacks.  

LinkedIn was found to be the most impersonated brand, totalling 45% of all global brand phishing attempts. This is the second quarter in a row that LinkedIn have held the top spot, although impersonations of the social media site have dropped down from their previous majority of 52% in Q1 2022. The second most impersonated brand was Microsoft, at 13%, with delivery brand DHL in third place accounting for 12% of phishing attacks. Other well-known brand names such as Amazon and Google also appear in this list. 

In April, May, and June we observed that the social media platform LinkedIn continued its reign as the most imitated brand after entering the rankings for the first-time in Q1.  

CheckPoint’s Brand Phishing Report 

Top phishing brands in Q2 2022: 

1. LinkedIn (45%) 

1. Microsoft (13%) 

1. DHL (12%) 

1. Amazon (9%) 

1. Apple (3%) 

1. Adidas (2%) 

1. Google (1%) 

1. Netflix (1%) 

1. Adobe (1%) 

1. HSBC (1%) 

Recent impersonations of LinkedIn are not the only phishing-based incidents faced by this company, as a significant amount of phishing occurs on the site itself. The Centre for the Protection of National Infrastructure (CPNI), the National Technical Authority for the UK government, launched a campaign to combat phishing on LinkedIn last year, called ‘Think before you link’. This campaign and associated app were designed to help users identify and report fake profiles on social media sites.  

The malicious profiles used in this campaign were run by threat actors posing as employers or recruiters to gather intelligence from multiple targets. These attacks had a specific emphasis on UK and western nationals working in government who were targeted to reveal information about their current job role, including matters of national intelligence, in the guise of a fake interview process. The CPNI campaign highlights the hallmarks of these fake phishing profiles to aid users in identifying them. 

Additionally, WithSecure Intelligence Research published a report this week about an info-stealer malware known as ‘Ducktail’ that is believed to have used LinkedIn phishing attacks as a way to gain initial access. Ducktail is reported to have been in operation since late 2021, and is attributed to a Vietnamese threat actor who is suspected of conducting attacks since at least 2018. The intention behind this stealer malware is to take over Facebook business accounts that have advertising privileges.  

To do this, the threat actors used LinkedIn to target victims who had relevant information in their profiles that suggest they manage social media advertising for their company. These victims would typically have “digital media” or “digital marketing” listed as their job roles, and would then be manipulated through social engineering to download the initial payload from a cloud hosting service, such as Dropbox, iCloud, or MediaFire. This delivered the malware onto the host device as an archived file, with the malware executable (.exe file) disguised as a PDF document, and various JPEG files with names relating to the discussions the malicious actor would have had with the victim, presumably used to sell the scam. 

The EXE file containing the malware is a .NET Core, containing all of the dependencies needed to run on the infected device, regardless of whether or not the victim has previously installed .NET runtime. When the victim attempts to open this, the malware scans the web browsers on the device for cookies, to collect system information and Facebook credentials. Using a stolen session cookie, the malware can access the victim’s Facebook account and be authenticated, as the request and the session cookie are both coming from the victim’s browser.  

Once this access has been obtained, the malware gathers multiple access tokens to allow the threat actor to now access the compromised account from their own device. The information harvested to allow for this includes the victim’s IP address and geolocation data, as well as Facebook account information (name, email, birthday, user ID), multi-factor authentication codes, and session cookies. The malware also steals business-specific details from the account, including the advertising limit, users list, client list, and more. All of this stolen data is exfiltrated through Telegram bots.  

The threat actors can now use this stolen information to hijack the Facebook business account and add themselves as a fully-permissioned user. They can now replace the financial details to send themselves direct payments or use the money from the victim’s accounts to run their own Facebook Ad campaign. Because of this, the Ducktail malware attacks are thought to be financially motivated. This malware attack can be protected against using Endpoint detection software, such as anti-virus software, that would alert the user to the malware’s presence on the device. However, the best defence is vigilance against fake LinkedIn profiles, to avoid falling for the phishing scam in the first place.