LinkedIn users are being targeted by an phishing campaign which tries to lure unaware users with a fake “LinkedIn Shared Document” message.The fake LinkedIn phishing pages state that the user has received a document via LinkedIn. This document can be viewed, but the user first needs to login.
LinkedIn Shared Document phishing campaign
I found one of the LinkedIn phishing pages on URLscan and decided to take a deeper dive into it. On the first impression, we can state that the phishing page is very lightweight. It only loads a couple of external sources to build up the actual phishing page which shows the “LinkedIn Shared Document” message.
Once the button ‘view document here’ is clicked, the victim is navigated to another fake login page. This page tries to obtain the Microsoft Onedrive credentials of the victim.
[Name] has granted you access to secured company files below
Text from the LinkedIn phishing page.
I continued to find similar attacks on URLscan. The attacks used the same campaign but used different landing page locations. The structure and the files loaded remained the same.
Private capital fund (01-08-2022)
The current campaign claims that there is a document named ‘Private Capital Fund’. The fake message continues to state that in order to open the link the victim needs to provide their credentials first.
To open this secure link, we’ll need you to enter the office365 email that this item was shared to.
Text from the LinkedIn / Onedrive phishing page
Filenames used
- “New project proposal” filename used in attack seen on the 30th of July 2022
- “July Recon Payment” filename used in attack seen on the 28th of July 2022
- “Payment Remittance” filename used in attack seen on the 7th of July 2022
The campaign itself
There are some items which stand out when looking at this LinkedIn and Onedrive phishing campaign. The cybercriminals behind this attack are doing the following:
- Changing the path of the phishing page
- Utilize multiple randomly named domains
- Start with fake “LinkedIn shared document” message which leads to fake “OneDrive login” form
- Use a lightweight phishing page
- Static text is used
Follow this campaign via URLscan