Endpoint Security Reading Time: 4 minutes

Cybercriminal attacks on social media user accounts to gain access to user credentials are becoming more refined and sophisticated. Phishing email tricks, often based on deception, play a primary role in these attacks. Comodo Threat Research Lab experts recently revealed how an attack aimed at LinkedIn users was thwarted, thanks to Comodo software.

“This attack demonstrates how sharply cybercriminals raise the complexity of their attacks. For example, this attack merged cybertechnologies and manipulative psychology,” says Fatih Orhan, head of the Comodo Threat Research Lab. “This trend will definitely increase, making the landscape of online security increasingly dangerous. The cybersecurity community must be prepared for attacks such as these. Comodo clients did not suffer from this attack because Comodo software blocked the phishing emails, preventing the emails from reaching their intended targets.”

The attack
Comodo Threat Research Lab discovered that the latest attack was from two IPs: from British Columbia and from Thailand. The attack started on February 1, 2018 at 09:32 UTC, ending at 13:45 UTC.

There were 14 emails sent from the email address admin@besama.ga (inactive domain) with each email addressed to a different user during the month of January. The email imitated a standard LinkedIn message that a user receives when another user wants to connect.

LinkedIn Attack Threat

While it did resemble a LinkedIn message, there were inconsistencies. The email address in the “From” field is <admin@besama.ga> and the email address in the “Reply” field is < gellul.Ebcon.cmo.mt@mail.ru >, neither of which are actual LinkedIn email addresses.

It also had the LinkedIn logo and familiar design, including the “View profile” and “Accept” option.

Once the user clicked an option – they were then redirected to the page that looked like the official LinkedIn sign in page, putting the user one-click away from a new perspective contact on LinkedIn.


The link led to a page similar the official LinkedIn URL, but instead, it was a phishing site created by cybercriminals to steal LinkedIn user credentials. If users submitted their login and password, the credentials went right into the wrong hands.

Why LinkedIn?
Cybercriminals hunt for credentials because it is a powerful springboard for further malicious activity. They can use account information to support a multitude of criminal activities, including fraud, identity theft, even terrorism propaganda.

Cybercriminals also try to use stolen credentials to break into other accounts, including online banking. They know most people use the same password for different accounts and obtain additional private information about users to aid in future spear-phishing or social engineering attack.

LinkedIn is a major interest for cybercriminals because it’s the place of vibrant business activity. A huge number of potential targets can be found on LinkedIn, such as high-ranking C-level employees at leading companies.

LinkedIn attack tricks
First, the users can click on the malicious link only one time, the URL then expires and the phishing page disappears. Comodo Threat Research Lab believes this is a sneaky trick cybercriminals use to cover their tracks, allowing them to remain undetectable for longer time period.

Secondly, a special feature of this attack is the social engineering approach. Comodo Threat Research Lab’s experts have found that similar phishing email attacks imitate senders from Kuwait and Saudi Arabia. This is a psychological trick, as many people in business world associate these countries with wealth, which increases chances the user takes the bait.

Additionally, the phishing email imitated a real LinkedIn message and used the name of the company and person with an account on LinkedIn. These cybercriminals take it a step further, using websites to support the phishing message. For instance, the company noted in the attack leads to: https://www.cad-consultants-kw.com, of the Cad Consultants in Kuwait, which has a logo very similar to the logo in the phishing email:

Neither the company, nor the personal accounts, used in the phishing email attack include photos of their owners. The cybercriminals have the ability to create fake accounts using actual LinkedIn information about a real company and or a real person to cover their malicious activity.

User awareness
A user may suspect something is wrong when the real LinkedIn page does not populate after putting in credentials. The user can then change their LinkedIn password or even report the incident, thus nullifying the hackers attack.

If the user researches the information in the request, then finds accounts of company and sender of the email, then verifies the company name and website, they may come to the conclusion it was a glitch. Then doing nothing, remaining unaware that their credentials are in the cybercriminals’ hands.

Avoid falling victim to a phishing attack. Keep your credentials safe.