New phishing scam on LinkedIn is using fake board offers to steal corporate credentials: here's how

LinkedIn users are being targeted via a new phishing campaign which is aiming to get the Microsoft login credentials of finance leaders. The attackers are ditching the usual phishing emails and using a new sophisticated method to target high-value individuals.

​The campaign was unearthed by Push Security, which says that it recently detected and blocked a high-risk LinkedIn phishing attack.

How are attackers stealing credentials of LinkedIn users?

​As per the cybersecurity company, victims are first contacted via a direct message on LinkedIn from a seemingly legitimate-looking profile. The attacker sends what is claimed to be an invitation for executives to join the executive board of a newly created "Commonwealth" investment fund.

​"I'm excited to extend an exclusive invitation for you to join the Executive Board of the Commonwealth investment fund in South America in partnership with AMCO - Our Asset Management branch, a bold new venture capital fund launching an Investment Fund in South America," the fake message reads

​The offer sounds prestigious and high-value in essence, tempting the target to look forward to a career milestone. The real scam, however, begins from here, as the message also contains a link to a document or a proposal which the victim needs to review in order to accept the position.

​Clicking on the link takes the user through a series of redirects, first via Google Search, then through an attacker-controlled site, and finally to a custom landing page hosted on firebasestorage.googleapis[.]com. Upon clicking on one of the document links on the page, the victim is asked to view the document with Microsoft.

​The user is then taken to a custom-designed adversary-in-the-middle (AiTM) phishing page which mimics the look of an official Microsoft login screen. Entering the credentials and the completing the check in on this page would result in the credentials being stolen by the attacker.

​"Attackers are using common bot protection technologies like CAPTCHA and Cloudflare Turnstile to prevent security bots from accessing their web pages to be able to analyse them (and therefore block pages from being automatically flagged)," Push Security said in a blogpost.

​The company also stated that phishing campaigns are now moving from primarily email targets to social media apps, which means organizations should be on guard against this kind of attack vector.

​“Just because the attack happens over LinkedIn doesn’t lessen the impact — these are corporate credentials and accounts being targeted, even if it is nominally a “personal” application. Taking over a core identity like a Microsoft or Google account can have wide-ranging consequences, putting data at risk in both core apps and any downstream apps that can be accessed via SSO from the compromised account.” Push Security warned.