This blog focuses on a LinkedIn credential phishing attack that was sent from a compromised university email account and hosted its phishing page on Google Forms.
In today’s Blox Tale, we will look at a LinkedIn credential phishing attack that was sent from a compromised university email account and hosted its phishing page on Google Forms. The email claimed that the victims’ LinkedIn account had been locked due to unusual activity and invited them to verify their account if they wanted to restore access.
Summary
Org mailboxes: ~700
Email Provider: Google Workspace
Techniques used: Social engineering, brand impersonation, replicating existing workflows, email account takeover, using free online services, using security themes
Fig: Credential phishing attack spoofing a LinkedIn message and using Google Forms to host phishing page
The Email
This email claimed to come from LinkedIn, had ‘LinkedIn’ as the sender name, and was titled ‘verify your LinkedIn account’ followed by the victim’s name. Adding the victim’s name increases the likelihood that they will open the message.
The email claimed that the victim’s LinkedIn account had been locked due to unusual activity and invited the victim to verify their account. The email also included links to view LinkedIn’s terms of service and customer support contact, but all email links routed to the same phishing page, which we will look at in the next section.
A snapshot of the email is given below:
Fig: Email sent from a compromised university email account spoofing a LinkedIn locked account workflow
It’s important to note the email sender ID - ‘linkedin@pauluniversity[.]edu[.]ng’. This is the legitimate domain of Paul University in Awka Nigeria, which means attackers likely compromised an email account of the university and exploited its infrastructure to send this email.
Because the domain is legitimate, this email bypassed authentication checks like SPF, DKIM, and DMARC. But while the car is safe and has correct license plates, there’s a malicious driver at the wheel here.
The Phishing Page
Clicking any of the links in the email leads victims to a phishing page that asks for their LinkedIn username and password. This page was hosted on Google Forms and used LinkedIn branding to get past victims’ perfunctory eye tests. Because Google Forms is ‘trusted by default’, this page bypassed any binary email security technologies that filter for known bad or suspicious links.
We have observed a variety of Google services like Docs, Forms, Sites, and Firebase exploited by cybercriminals in phishing attacks. We reported on a spate of such attacks last year here.
Fig: Phishing page hosted on Google Forms asking for LinkedIn account credentials
Recap of Techniques Used
This email attack employed a gamut of techniques to get past traditional email security filters and pass the eye tests of unsuspecting victims.
- Social engineering: The email title, sender name, and content aimed to induce a sense of trust and urgency in the victims - a sense of trust because the email claimed to come from a legitimate company (LinkedIn), and a sense of urgency because it claimed the victim’s account had been locked, something they would be eager to reverse. The email included the victim’s name in the title as well, further adding to the targeted nature of the attack.
- Brand impersonation: The email content repeatedly references LinkedIn and the phishing page includes LinkedIn branding that lends it a surface-level familiarity to the real brand. If one stops and thinks about it, there’s something suspicious about the phishing page. But scammers are banking on the fact that victims won’t stop and think about it.
- Third-party email account compromise: The email was sent from a compromised account belonging to a Nigerian university. The legitimacy of the domain enabled the email to bypass authentication checks. We have repeatedly observed account takeover being used as the starting point to launch follow-on phishing attacks.
- Using security themes: The email used the guise of locked accounts and security concerns to extract account credentials. As employees want to be good corporate citizens, they will tend to take quicker action on communication that claims to be security-related. The irony hits like Thor’s hammer here.
- Replicating existing workflows: The context for the email attack replicates workflows that already exist in our daily lives (locked online account due to unusual activity). When we see emails we’ve already seen before, our brains tend to employ System 1 thinking and take quick action.
- Using Google Forms to host the phishing page: The phishing page was hosted on Google Forms. Free online services like Google Forms make our lives easier, but unfortunately also lower the bar for cybercriminals to launch successful phishing attacks. We have also observed attacks exploiting Google Firebase, Box, Google Sites, and Typeform in a similar manner.
Guidance and Recommendations
1. Augment native email security with additional controls
The email highlighted in this blog got past Google Workspace email security. For better protection coverage against email attacks (whether they’re spear phishing, business email compromise, or credential phishing attacks like this one), organizations should augment built-in email security with layers that take a materially different approach to threat detection. Gartner’s Market Guide for Email Security covers new approaches that vendors brought to market in 2020, and should be a good starting point for your evaluation.
2. Watch out for social engineering cues
Since we get so many emails from service providers, our brains have been trained to quickly execute on their requested actions. It’s much easier said than done, but engage with these emails in a rational and methodical manner whenever possible. Subject the email to an eye test that includes inspecting the sender name, sender email address, language within the email, and any logical inconsistencies within the email (e.g. Why is LinkedIn sending this email to my work account, Why do all links lead to the same page).
3. Follow MFA and password management best practices
Although we didn’t observe the entire vishing flow for these attacks, vishing call scripts often include attempts to extract victims’ account credentials in addition to their credit card details.
If you haven’t already, implement these hygiene best practices to minimize the impact of your credentials being leaked:
- Deploy multi-factor authentication (MFA) on all possible business and personal accounts.
- Don’t use the same password on multiple sites/accounts.
- Use a password management software like LastPass or 1password to store your account passwords.
- Avoid using passwords that tie into your publicly available information (date of birth, anniversary date, etc.).
- Don’t use generic passwords such as ‘password123’, ‘YourName123’, etc.
