The phishing attacks are spoofing LinkedIn to target ‘Great Resignation’ job hunters, who are also being preyed on by huge data-scraping bot attacks.
Emotionally vulnerable and willing to offer up any information that lands the gig, job seekers are prime targets for social engineering campaigns. And with the “Great Resignation” in full swing, cybercriminals are having an easy time finding their next victim.
Just since Feb. 1, analysts have watched phishing email attacks impersonating LinkedIn surge 232 percent, attempting to trick job seekers into giving up their credentials.
“Current employment trends help to make this attack more convincing,” a new report from Egress said. “‘The Great Resignation’ continues to dominate headlines, and a record number of Americans left their jobs in 2021 for new opportunities. It is likely these phishing attacks aim to capitalize on jobseekers (plus curious individuals) by flattering them into believing their profile is being viewed and their experience is relevant to household brands.”
The emails had subject lines that would be enticing to job hunters hoping to get noticed, like, “Who’s searching for you online,” “You appeared in 4 searches this week” or even “You have 1 new message,” the Egress team said.
The phishing emails themselves were convincing dupes, built in HTML templates with the LinkedIn logo, colors and icons, the report added. The scammers also name-checked well-known companies throughout the bodies of the phishing emails, including American Express and CVS Carepoint, to make the correspondence seem more legitimate, the analysts said.
Even the email’s footer lifted the company’s headquarters’ address and included “unsubscribe” links to add to the email’s authenticity, the analysts pointed out.
“You can also see the LinkedIn display name spoofing, which is designed to hide the webmail accounts used to launch the attacks,” the report said.
Once the victim clicks on the malicious links in the email, they were directed to a site to harvest their LinkedIn logins and passwords.
“While the display name is always LinkedIn and the emails all follow a similar pattern, the phishing attacks are sent from different webmail addresses that have zero correlation with each other,” the analysts added. “Currently, it is unknown whether these attacks are the work of one cybercriminal or a gang operating together.”
021722 09:18 UPDATE: LinkedIn sent the following statement to Threatpost:
“Our internal teams work to take action against those who attempt to harm LinkedIn members through phishing. We encourage members to report suspicious messages and help them learn more about what they can do to protect themselves, including turning on two-step verification. To learn more about how members can identify phishing messages, see our Help Center here.”