In today’s Blox Tale, we will dive into the details of a credential phishing attack that spoofed everyone’s favorite platform for connecting with colleagues and professional networks. Attackers targeted employees at a national travel organization, with an email attack that spoofed the global brand LinkedIn in an attempt to steal victims’ login credentials.
The email attack had a socially engineered payload, bypassed Google email security and had the potential to compromise close to 500 users if it weren’t for Armorblox successfully identifying this brand impersonation attempt and stopping this malicious email attack.
Mailboxes: Close to 500 mailboxes
Target: National travel organization
Email security bypassed: Google Workspace email security
Techniques used: Social engineering, brand impersonation, replicating existing business workflows, malicious URL
The subject of this email evoked a sense of urgency in the victims, with a subject reading, We noticed some unusual activity. At first glance, the sender looks to be LinkedIn, the global brand used for connecting with colleagues and individuals around the world. However, when looking closer it is clear that the sender name reads Linkedin (an improper spelling of the brand’s name) and the email address is not associated with LinkedIn. Upon further analysis, the Armorblox Threat Research team found the domain name is fleek.co, created March 6th of this year––in preparation for attackers to execute targeted email attacks such as this one.
The email looks like a notification from LinkedIn, notifying the end user about suspicious activity on his or her account. The email included a LinkedIn logo at the top and bottom in order to instill trust in the recipient (victim) that the email communication was a legitimate business email notification from LinkedIn - instead of a targeted, socially engineered email attack. The body of the email contains information about a sign in attempt: device used, date and time, and location; notifying the end user that this attempt has resulted in limited account access due to the potential fraudulent activity. The victim is prompted to “Secure my account” to avoid the LinkedIn account from being closed.
The Phishing Page
The main call-to-action button (Secure my account) included within the email contains a bad URL and took victims to a fake landing page. This fake landing page (Fig 2 below) mimicked a legitimate LinkedIn sign in page that included LinkedIn logos, language, and illustrations that mirrored true LinkedIn branding.
Once directed, victims were prompted to enter his or her LinkedIn user credentials: email address and password used to access the platform, in order to verify their identity and prevent the account from being deleted.
This email attack impersonated a well-known brand, with the intention to create a sense of trust in the victim. Attackers included legitimate logos and company branding across the malicious email and fake landing page, in order to exfiltrate the victims’ sensitive user credentials.
Fig 3: Credential phishing email attack flow
The Power of Armorblox
The email attack bypassed native Google email security controls because it passed both SPF and DMARC email authentication checks.
Attackers used a valid domain to send this malicious email, with the goal to bypass native email security layers and exfiltrate sensitive user credentials. Even though the sender domain received a reputation score of high risk, email security layers such as Google that rely on email authentication checks for legitimacy would not catch this targeted email attack. This email attack would have been delivered to close to 500 users’ mailboxes if it weren’t for Armorblox stopping this attack. Fortunately, these end users are protected by Armorblox, who accurately detected this email attack that contained a malicious URL. Armorblox uses Natural Language Understanding (NLU) to understand the content and context of email communications to provide organizations and end users better protection from these types of targeted, socially engineered email attacks.
Recap of Techniques Used
This email attack employed a gamut of techniques to get past traditional email security filters and pass the eye tests of unsuspecting victims.
Social engineering: The email title, design, and content aimed to induce a sense of trust and urgency in the victims. Trust was induced by impersonating a well-known brand (LinkedIn) and a sense of urgency through the language used within both the email and the fake landing page. The context of this attack also leverages the curiosity effect, which is a cognitive bias that refers to our innate desire to resolve uncertainty and know more about something.
Brand impersonation: The email and fake landing pages included branding similar to legitimate LinkedIn communications and landing pages. The information included within the body of the email attack is similar to legitimate notification email communications, plus the logos used within both the email and landing page are the same in order to try and trick the victim and instill trust.
Guidance and Recommendations
1. Augment native email security with additional controls
The email highlighted in this blog got past native email security. For better protection and coverage against email attacks (whether they’re spear phishing, business email compromise, or credential phishing attacks like this one), organizations should augment built-in email security with layers that take a materially different approach to threat detection. Gartner’s Market Guide for Email Security covers new approaches that vendors brought to market in 2021 as well as Armorblox highlights this in the 2022 Email Security Threat Report, and should be a good starting point for your evaluation.
2. Watch out for social engineering cues
Since we get so many emails from service providers, our brains have been trained to quickly execute on requested actions. It’s much easier said than done but engage with these emails in a rational and methodical manner whenever possible. Subject the email to an eye test that includes inspecting the sender name, sender email address, the language within the email, and any logical inconsistencies within the email.
3. Follow multi-factor authentication and password management best practices
If you haven’t already, implement these hygiene best practices to minimize the impact of credentials being exfiltrated:
- Deploy multi-factor authentication (MFA) on all possible business and personal accounts.
- Don’t use the same password on multiple sites/accounts.
- Use password management software like LastPass or 1password to store your account passwords.