Home Hacking LinkedIn Phishing Attack Bypassed Email Filters Because it Passed Both SPF and DMARC Auth

LinkedIn Phishing Attack Bypassed Email Filters Because it Passed Both SPF and DMARC Auth


LinkedIn Phishing AttackResearchers at Armorblox have observed a phishing campaign impersonating LinkedIn. The emails inform the user that their LinkedIn account has been suspended due to suspicious activity.

“The subject of this email evoked a sense of urgency in the victims, with a subject reading, ‘We noticed some unusual activity,’ the researchers write. “At first glance, the sender looks to be LinkedIn, the global brand used for connecting with colleagues and individuals around the world. However, when looking closer it is clear that the sender name reads Linkedin (an improper spelling of the brand’s name) and the email address is not associated with LinkedIn. Upon further analysis, the Armorblox Threat Research team found the domain name is fleek[.]co, created March 6th of this year––in preparation for attackers to execute targeted email attacks such as this one.”

The phishing emails and the phishing site convincingly spoofed LinkedIn’s branding.

“The email looks like a notification from LinkedIn, notifying the end user about suspicious activity on his or her account,” the researchers write. “The email included a LinkedIn logo at the top and bottom in order to instill trust in the recipient (victim) that the email communication was a legitimate business email notification from LinkedIn – instead of a targeted, socially engineered email attack. The body of the email contains information about a sign in attempt: device used, date and time, and location; notifying the end user that this attempt has resulted in limited account access due to the potential fraudulent activity. The victim is prompted to ‘Secure my account’ to avoid the LinkedIn account from being closed.”

Armorblox notes that the phishing messages were able to bypass email security filters.

“The email attack bypassed native Google email security controls because it passed both SPF and DMARC email authentication checks,” Armorblox says. “Attackers used a valid domain to send this malicious email, with the goal to bypass native email security layers and exfiltrate sensitive user credentials. Even though the sender domain received a reputation score of high risk, email security layers such as Google that rely on email authentication checks for legitimacy would not catch this targeted email attack.”

New-school security awareness training can enable your employees to identify phishing attacks that slip past your technical defenses.

Armorblox has the story.

Source link

Related Articles

Translate »