Phishing scam using LinkedIn page !!!

Hello Everyone!!

Today I got one message from an unknown person regarding the job opportunity via LinkedIn.

Profile of the person from whom I got the below message: https://www.linkedin.com/in/masayukimikami/

When I opened the link I was redirected to the below page.

Then I entered my details and proceed with it and again I got redirected to another page that contains a document.

Now when I click on the view document button, I got redirected to another page which looks similar to the LinkedIn login page asking for the credentials.

When I saw the URL of the page I got to know that this is not a legit LinkedIn page because it’s hosted on some other domain of another website. And as per my understanding, it’s a phishing page.

Also when I intercepted the sign-in request in the burp suite and analyzed the post request of the sign-in page then I got to know that host and referer are different and there is a malicious request going in the post request i.e. POST /btc/set.php.

Then I opened the same link in the incognito mode and entered a random credential for testing purposes and it prompts me to download the file.zip and when I extracted it in it contain one file i.e. dog.exe, which looks like a malicious windows application.

Now I didn’t run the .exe file but I analyzed using strings cmd using the Linux terminal and I got to know that this application might be taking/asking for confidential information or might be it’s a malicious application that contains a backdoor inside it.

Conclusion:

Never open any link blindly always check for the URL i.e. what it contains and what is the host domain also never use the same credentials over all the websites.

Also, always use 2FA i.e. Two Factor Authentication in your all accounts.

Thanks,

Author: Hemant Patidar & Mayur Parmar