A new phishing scheme on the popular social media network LinkedIn has been revealed. This campaign uses compromised accounts to connect with mutual contacts via the app’s internal direct messaging system. Messages will then try to trick legitimate users into opening a “LinkedIn Private Shared Document.”
The catch? “LinkedIn Private Shared Document” is not a supported part of the platform—and should raise an immediate red flag for any user who receives such a message. Clicking on the purported document redirects users to a third-party site that houses a login page suspiciously similar to LinkedIn’s real one. Any account credentials entered there can then be stolen by hackers—then used to log in to the user’s real profile and perpetuate the scam.
It’s a sophisticated scam made even more dangerous by the legitimate-looking spoofed login page. Security experts say these pages are hosted on well-known domains like Appspot, Firebase, and Pantheon.io, making it harder to stop the scam in its tracks.
Why Is This so Dangerous?
LinkedIn is a platform built on the connections between professionals, so a breach of that trust can have significant impacts on individuals and businesses. Also, if a user’s LinkedIn login credentials are the same as those used for email accounts, banking services, or other social media platforms, hackers can easily break into those and deepen the extent of the problem. That puts critical personal and business data at risk.
This phishing scheme can affect small companies and big businesses alike; every user on LinkedIn represents an individual node in an interconnected network that can span tens of thousands of other professionals. Breaking into that network and disrupting it with scams can lead to devastating consequences.
This likely means that their account has been compromised, so you’ll want to reach out via email, text, or phone to alert them. Don’t wait to take action, though, as every phishing attempt sent by hackers controlling your connection’s account could lead to a further cascade of the problem.
MFA is a login process that requires something a user knows—his or her password—with something a user has—typically a unique, time-based one-time password (TOTP) or push alert delivered via a dedicated app, text, or email. MFA mitigates the threat that weak or stolen passwords pose to overall cybersecurity for individuals and companies.
As this latest LinkedIn scheme demonstrates, once a weak or reused password has been stolen, hackers can infiltrate entire systems and networks by redirecting users to illegitimate sites, installing dangerous malware on computers, seizing personal information, and even demanding a ransom for its return.
Once you’ve implemented multi-factor authentication, take password security to the next level by deploying a password management tool that can regularly update weak or reused credentials with strong, singular strings of characters unique to each platform. Those individual passwords are then encrypted, requiring each user to remember only one master password for access. Password managers have their pros and cons—working with a trusted IT provider to deploy one is critical.
Threat response has become an integral part of modern IT solutions. If threats like the LinkedIn campaign can be anticipated, preventing them from ever infiltrating your system is possible—especially if you work with a trusted business partner like CMIT Solutions. We have extensive experience protecting clients across North America with our 24/7 monitoring and maintenance infrastructure, which scans for risks or vulnerabilities and springs into action when needed to stop attacks.
Smart employees can often serve as the first line of defense against phishing campaigns. Encourage all employees to be wary of messages across all platforms. Make sure everyone knows NOT to open ANY attachments or click on ANY link if they aren’t expecting the email and attachment or if they see anything suspicious. Hover over website links and look for legitimate URLs as opposed to a string of random characters or unrecognized addresses. And if you have any reason to be suspicious, double-check the message header, subject lines, and body copy for small errors.
Investing in training early and often can pay big dividends for your business. Start by incorporating cybersecurity education into employee onboarding, and then consider annual refreshers that keep staff updated on the latest phishing tactics. Make sure your training includes evolving cyberattack tactics, phishing and social engineering information, password security best practices, email and social media protocols, remote management and access rules, and incident response procedures. That way your employees can truly contribute to overall cybersecurity.
Automatically creating regular backups of your important business information is one of the most critical security measures your business can take. Free Internet-based solutions and local hard drive backups just aren’t enough—instead, reliable, remote, and redundant data backup performed by a trusted IT provider is the safest way to prevent any ransomware attack, virus infection, or data breach from knocking your business out of commission.
At CMIT Solutions, we understand that cybersecurity threats come from all corners—even reliable apps like LinkedIn. We go above and beyond the call of duty to protect the data, devices, and digital identities of our clients. Even as phishing campaigns evolve, our 800+ technicians across North America stay ahead of the curve by working 24/7 to deploy new protections and devise new strategies for IT success.
If you’re looking for a trusted partner to protect your business from IT issues and cybersecurity threats, contact CMIT Solutions today.