Internet Security News & Views

LinkedIn Phishing Emails – How to distinguish between a Phish and a Legitimate Email

Phishers are targeting the customers of banks, online payment services and social networking sites like HSBC Bank, PayPal, Fedex, Facebook, Evernote, Twitter and LinkedIn etc… Users of any online service or social networking site can be targeted through phishing emails and scams in a number of ways through emails.

Below we will show you how you can easily recognize a phishing email, just through hovering with your mouse and applying some common sense. It is easy once you know what to look out for.

Phishing emails are one of the most common ways for fraudsters to scam unsuspecting consumers.

LinkedIn has certainly become one of the most popular business-to-business social networking tools, some even say the site is replacing recruitment sites! Not surprisingly, it is becoming a target for phishing attempts.

This email, which masquerading as a member invitation from popular business focused social network LinkedIn, recipients are asked to click on a link ‘visit your InBox now’ to view the pending messages.

The email includes the LinkedIn logo and looks very similar to a genuine LinkedIn invitation message.

However, the message is not from LinkedIn. All of the links in the message lead to compromised websites that have no connection to LinkedIn.

Omniquad Security Research Labs found that the endpoint URL contains a criminal toolkit known as the BlackHole Exploit Kit. BlackHole is a web application used by criminals to exploit browser vulnerabilities as a means of downloading and installing Trojans and other types of malicious software into victim’s computer.

If an email contains a link and you’re unsure whether it’s legitimate, hover over it with your mouse to see what address it directs you to. To avoid being scammed read the below guide how to spot a scam and protect yourself from such type of phishing attacks.

In fact, LinkedIn has regularly been targeted in such malware and phishing attacks. Always ensure that LinkedIn messages are really from LinkedIn. Scam emails often use HTML to disguise links in their bogus messages. As you can see below screen shot, this email looks somewhat credible.

However, we can differentiate LinkedIn phishing email from a real LinkedIn email from the below screen shot:

A LinkedIn Phishing Email

The message body says:

LinkedIn Reminders

Invitation Reminders:

From Akshay Das (Senior Director, Business Development, Information & Media Division at The McGraw Hill Companies.)

Pending Messages

There are a total of 3 messages awaiting your response. Go to Inbox now (clickable link to malicious site)

  • Take a look at the From Field in the screenshot, you can see that the mail is not originally coming from LinkedIn.
  • The highlighted text that states ‘go to inbox now’ does not pointing to a true LinkedIn website.
  • The highlighted text that states ‘go to inbox now’ does not pointing to true LinkedIn website.



Fake linkedin email  March 2013

So, to summarise, the sender is not LinkedIn, hovering over the clickable links reveals that the urls are not LinkedIn, but pointing to a Russian domain.

A quick search will reveal that McGraw Hill Companies is real, and there are several people named Akshay Das on the LinkedIn network, but none appear to work for McGraw Hill.  The scammers have used a real company and a real name to give their scam more credibility.

A Real LinkedIn Email

As you see in the real email from LinkedIn, the url pointing to LinkedIn website itself.

Real LinkedIn Email Request

 The From Field in the screenshot tells you that the email is from ….@bounce.linkedin.com – a real LinkedIn email address.

The links in the screenshot shows the linkedin.com domain in the URLS when you hover over them with the mouse.

The Email Source

We would like to share the source code behind both the real and phishing emails.

Source code of the fake LinkedIn email:

Fake linkedin email  source code

You can see that the URL hiding in the code is http ://doctormusi.ru/templates/beez/track. php?c002   you see there is a tracking code at the end.  Tracking codes are strings of text added to the end of a URL which let you track the source of a click.

Source code of the real LinkedIn email:

Real LinkedIn email source code

You can see that the URL hiding in the code is http://www.linkedin.com, so clicking on links in real emails from LinkedIn is safe.

Phishing scams of this nature are all too common and, in spite of widespread publicity, they continue to fool people all around the world into handing over their financial and personal information. Legitimate banks and other financial institutions will never send their customers unsolicited, generic emails that request them to click a link to login and provide personal information.

Finally our mantra:

Tips to spot phishing emails:

  • Request you to supply personal information directly into the e-mail or submit via online.
  • Threatens to suspend or close your online accounts if you do not respond for the email.
  • Claims that your account has been compromised or accessed by un authorized person.
  • Requests you to enter, validate or verify your account information.
  • States that there are unauthorized charges on your account and requests your account information.
  • Claims that the bank has lost important security information and needs you to update your information online.
  • Requires you to enter your card number, password, user ID or account numbers into an email.

Protect yourself from email frauds.

  • Never click on Hyperlinks within emails, instead, copy and paste them into your browser.
  • Do not open any file attached to the email.
  • Always look for “https://” and padlock on web sites that require personal information.
  • If you didn’t initiate a transaction to which an email is referring, it’s probably a scam.
  • Never respond to spam / suspicious email or emails from unknown senders.
  • Do not supply your personal / Bank account information to strangers, they are most likely scammers.
  • Use spam filtering  software.

- The Omnqiuad Security Team

Tagged as: , , , ,

4 Responses »

  1. Hovering over the links can sometimes lead to a false conclusion. You can see below the links extracted from the source of a message received by me. The part
    title=”http://www.linkedin.com”
    in them disguises the URL they really point at.
    ———
    From Martin Dunkerton
    (Oracle Applications Specialist)
    ———

    Go to InBox
    now.

    ———
    Login to your LinkedIn account to Unsubscribe.

    • That is a good point worthy of noting Dimiter, and thanks for sharing the above example.

      They have added alt tag with anchor text [www.linked.com], and this alt tag will appear when hovering with the mouse.
      The real URL will still be visible down in the left hand corner of your screen. It is therefore worth paying attention to alt tags too, verify the url shown at the bottom of your screen and if it is different, dont click.

      • I should like to add that some mail programs (e.g. Outlook Express) display the tool tip (http://www.linkedin.com in the case of this example), but display no url at the bottom of the screen.

      • True. It is then easier to spot a Phish/Scam through Web-mail than if you are using Outlook or another email program that does not show the url on the bottom of the screen. Another good reason why a high performance junk mail filter or email filtering solution is a good investment.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow blog to be notified of new posts by email.

Follow

Get every new post delivered to your Inbox.

Join 28 other followers

%d bloggers like this: