Key Takeaways
- Finance executives are being targeted by sophisticated LinkedIn phishing scams
- Attackers use fake board membership offers to steal Microsoft credentials
- The scam bypasses traditional email filters using social media platforms
- Security firm Push Security has detected and blocked these high-risk attacks
A sophisticated new phishing campaign is targeting LinkedIn users, specifically aiming to steal Microsoft login credentials from finance leaders and executives. Unlike traditional email-based attacks, this method uses direct messaging on the professional network to appear more legitimate.
How the LinkedIn Phishing Scam Works
The attack begins with a direct message from what appears to be a legitimate LinkedIn profile. The message contains an exclusive invitation for executives to join the executive board of a newly created “Commonwealth” investment fund in South America.
“I’m excited to extend an exclusive invitation for you to join the Executive Board of the Commonwealth investment fund in South America in partnership with AMCO – Our Asset Management branch, a bold new venture capital fund launching an Investment Fund in South America,” the fake message reads
The prestigious-sounding offer tempts targets with what appears to be a career milestone. However, the real scam begins when victims click on a document link included in the message to review the board position details.
Multi-Stage Credential Theft Process
Clicking the link initiates a complex redirect process through Google Search, then to an attacker-controlled site, and finally to a custom landing page hosted on firebasestorage.googleapis[.]com. When victims attempt to view the document using Microsoft, they’re redirected to a custom-designed adversary-in-the-middle (AiTM) phishing page that perfectly mimics the official Microsoft login screen.
Entering credentials on this fake page results in immediate theft of corporate login information, putting both personal and organizational data at significant risk.
Security Firm Sounds Alarm
Push Security uncovered this campaign and has successfully blocked several high-risk LinkedIn phishing attacks. The security company noted that attackers are employing advanced protection measures to avoid detection.
“Attackers are using common bot protection technologies like CAPTCHA and Cloudflare Turnstile to prevent security bots from accessing their web pages to be able to analyse them (and therefore block pages from being automatically flagged),” Push Security said in a blogpost.
The firm emphasized that phishing campaigns are increasingly shifting from email to social media platforms, requiring organizations to adapt their security awareness and protection strategies accordingly.
“Just because the attack happens over LinkedIn doesn’t lessen the impact — these are corporate credentials and accounts being targeted, even if it is nominally a “personal” application. Taking over a core identity like a Microsoft or Google account can have wide-ranging consequences, putting data at risk in both core apps and any downstream apps that can be accessed via SSO from the compromised account.” Push Security warned.
Organizations should and implement additional verification processes for sensitive credential requests originating from social media platforms.
