Credential Phishing Campaign Uses LinkedIn Smart Links to Target Microsoft Accounts
- Written by Shipra Sanganeria Cybersecurity & Tech Writer
In a new phishing campaign targeting Microsoft credentials, hackers were seen exploiting the Smart Links feature of LinkedIn to evade detection and bypass email security measures.
Connected to LinkedIn Sales Navigator services, the smart links or ‘’slink’’ is used for marketing and tracking purposes by LinkedIn business accounts. This feature allows users to promote and measure content engagement via embedded links in emails.
As it uses a trusted domain, followed by a “code” parameter with an 8-alphanumeric character ID, the link easily bypasses various security email gateways (SEGs). Thus, it was exploited by threat actors to lure victims into clicking malicious links and disclose personal or official information.
Researchers at email security company, Cofense have observed the usage of this technique in September 2022 , as well. However, this extensive credential phishing campaign was targeted at multiple industries. It was seen using 80 unique smart links embedded in over 800 emails of various subjects, sent from newly created or previously compromised LinkedIn business accounts.
‘’The emails use generic subject lines that fit the themes of financial, human resources, documents, security, and general notifications,’’ Cofense revealed . Moreover, to add a sense of legitimacy, the victims were not only directed to a seemingly authentic Microsoft login page, but the designated link also contained their email addresses.
‘’The designated phishing kit will read the victim’s email attached to the Smart Link to autofill the malicious form to add to the illusion of legitimacy that the victim has landed at the legitimate Microsoft sign-in,’’ the investigation revealed.
According to Cofense, the primary targets of the campaign seemed to be users from the Finance and Manufacturing industries. However, victims from the Energy, Technology, Healthcare, Construction, Insurance, and Mining, were targeted as well.
‘’While it’s important to use email security suites, it is also essential for employees to constantly be up to date on their training to combat any phishing campaign. Employees must be taught not to click links from emails that seem suspicious or unexpected. ‘’
New Magecart Campaign Modifies 404 Error Page to Steal Visitor Information
- Written by Shipra Sanganeria Cybersecurity & Tech Writer
A novel web skimming campaign designed to steal personally identified (PII) and credit card information of ecommerce website visitors has been discovered by researchers.
Discovered by Akamai Security Intelligence Group researchers , the campaign is primarily targeted at Magento and WooCommerce websites, including online sites of some large organizations in the food and retail sectors.
This Magecart-style skimming campaign hides malicious code inside the default 404 error pages to avoid detection and successfully deploy malware to steal financial information. “This concealment technique is highly innovative and something we haven’t seen in previous Magecart campaigns,” Akamai report revealed.
The campaign follows the usual Magecart attack technique, exploiting vulnerabilities in the targeted host’s digital ecommerce website or the third-party services used by it to inject the skimming malware code.
The campaign is divided into three main parts: loader, malicious attack code, and data exfiltration. ‘’The purpose of separating the attack into three parts is to conceal the attack in a way that makes it more challenging to detect,’’ the report continued.
While analyzing the campaign, Akami found three variations in this attack. Two were very similar with only a slight difference in loader part. The loader component either disguised itself as a Meta Pixel code snippet or hid inside an existing inline script present on the targeted website.
Upon execution, this loader skimmer sends a fetch request to a relative path called ‘icons,’ which does not exist. Thus, leading the visitor to a ‘404 Not Found’ error page.
Further investigation of the 404 page revealed a hidden comment containing the string “COOKIE_ANNOT.” Next to it, was a long Base64-encoded string containing the entire obfuscated JavaScript attack code. This is used to execute the attack and steal sensitive information uploaded by the user.
‘’We simulated additional requests to nonexistent paths, and all of them returned the same 404 error page containing the comment with the encoded malicious code. These checks confirm that the attacker successfully altered the default error page for the entire website and concealed the malicious code within it,” Akamai revealed.
The attackers also deployed common exfiltration techniques of injecting fake forms to steal personal and credit card information.
With the growing sophistication in web skimming attacks, it’s essential to remain vigilant while filling personal details on websites.
