SECURITY ALERT: New LinkedIn OneDrive Phishing Campaign Detected by Heimdal™ Security

[harlan4096]

LinkedIn Users Targeted by Malicious Phishing Campaign

Heimdal™ Security’s Incident Investigation and Response Department have recently discovered a new phishing campaign that aims to compromise LinkedIn accounts. The intel gathered so far, suggests that the malicious operation indiscriminately targets business and personal accounts in an attempt to harvest Microsoft login credentials. To date, no identity cases have been registered. Heimdal Security™ will continue to monitor all online channels.

Overview

Coined the LinkedIn OneDrive Phishing Campaign, the malicious actors behind the latest credential-stealing operation are using fabricated LinkedIn profiles to get in touch with their victims. In 80% of cases, the malicious actors aimed for business owners or decision-makers. The lure is a Microsoft Word document shared via OneDrive (private session).

Once the victim performs a click or tap action on the OneDrive link, the browser will redirect him/her to the fraudulent OneDrive page. Regardless if you’re signed in or not, the fake platform will require you to input your credentials (username & password associated with your Microsoft account) to read and/or commit changes to its contents.

Forensic analysis performed on domain and accounts has yielded no actionable intel – ‘burner(able) LinkedIn accounts’, no registrar info on Who.is and the names appended to the malicious accounts appear to have been generated with some sort of online tool.

LinkedIn OneDrive Phishing Campaign – In-Depth Analysis

Outlined here, are the results of Heimdal™ Security’s probing into the Linked OneDrive Phishing Campaign case.

The LinkedIn user (business or personal profile) receives a message. In the observed cases, it’s from a person outside the user’s network. The message reads as follows:

I hope all is well? I have shared a document with you via Onedrive, please see the shared document.

iradistributiontrade.blog.ctk.at

Regards.
(Translated from Danish)

Upon click or tap action, the user is redirected to another website: https://server.skicoupons.com/investment (domain blocked and sanitized by Heimdal™ Security). The first bounce leads the user to what appears to be a OneDrive dashboard.

An outward examination of the cloned OneDrive UI reveals no actionable information: it’s almost identical to Microsoft OneDrive’s official dashboard. However, all the buttons and hyperlinks only have an aesthetical function – if the user clicks or taps on any of the buttons and/or hyperlinks, a second redirect will occur, leading the user to what appears to be a Microsoft account login screen.

Despite having the same ‘demeanor’ as Microsoft’s Sign In page, this is a credential-stealing form. As I’ve mentioned, the user will be redirected to the Microsoft account login page even if he’s signed in.

Upon entering the requested credentials (email, phone number or Skype handle and Microsoft password), the user will again be redirected, but, this time to an error page. Attempts to reproduce the steps leading to the Microsoft account compromise led to two distinct versions. During the first round, the redirect page returns a type 404 error. The subsequent attempt called up a blank browser page.
...

Continue Reading