Phishing actors are abusing LinkedIn Smart Links feature to bypass email security products and successfully redirect targeted users to phishing pages that steal payment information.
Smart Link is a feature reserved for LinkedIn Sales Navigator and Enterprise users, allowing them to send a pack of up to 15 documents using a single trackable link.
Besides its versatility, Smart Link provides marketing people with analytics, generating reports about who viewed the shared content and for how long.
Hence, phishing actors aren’t just using Smart Link for bypassing email security protections but can also gain insight into the effectiveness of their campaigns, allowing them to optimize their lures.
The new trend of Smart Link abuse for phishing was spotted by threat analysts at Cofense, who have observed campaigns targeting Slovakian users with bogus postal service lures.
The phishing email sent to targets supposedly originates from Slovenská pošta, the state-owned postal service provider in Slovakia, informing the recipient of the need to cover costs for a parcel that’s pending shipment.
Using email header trickery, the address appears legitimate to the recipient, but if examined closely, it becomes clear that the sender is actually “[email protected]”, entirely unrelated to the postal service.
The embedded “confirm” button contains a LinkedIn Smart Link URL, with added alphanumeric variables at its end to redirect the victim to a phishing page. (“linkedin[.]com/slink?code=g4zmg2B6”)
The redirection feature in Smart Links is typically used for promoting marketing pages, advertisements, etc., but threat actors abuse it to override security checks.
The presented shipment cost on the landing page isn’t high, set to a realistic €2.99, but the goal of the phishing actors isn’t to receive money but to steal the target’s credit card details, including the number, holder’s name, expiration date, and CVV.
Visitors who enter the information and click on “submit” will be informed that their payment has been received and eventually redirected to a final SMS code confirmation page with the sole purpose of sprinkling legitimacy in the process.
While this still-ongoing campaign targets Slovakians, the abuse of LinkedIn Smart Link by phishing actors with a broader scope may be just a matter of time.
BleepingComputer has contacted LinkedIn to ask if they have plans to implement safeguards to prevent this abuse, but we have not heard back yet.
Update 9/22/22 – LinkedIn has responded to our request for a comment with the following statement:
Our internal teams work to take action against those who attempt to harm LinkedIn members through phishing.
We encourage members to report suspicious messages and help them learn more about what they can do to protect themselves, including turning on two-step verification.
To learn more about how members can identify phishing messages, see our Help Center.