BEWARE: LinkedIn OneDrive Phishing Campaign
LinkedIn users are being targeted by a new phishing campaign, known as the LinkedIn OneDrive Phishing Campaign, according to Heimdal™ Security’s Incident Investigation and Response Department.
So far, they have found that the malicious operation indiscriminately targets business and personal LinkedIn accounts, attempting to harvest Microsoft OneDrive login credentials.
How the LinkedIn OneDrive Phishing Campaign
With the LinkedIn OneDrive Phishing Campaign, the cyber criminals behind the latest credential-stealing campaign are creating bogus LinkedIn profiles to get in touch with their victims.
In 80% of cases, the cyber criminals are targeting business owners and key decision-makers. Here’s how it works:
- The hacker sends the victim a link to a private OneDrive session via LinkedIn’s direct messaging service.
- Once the targeted victim clicks on the OneDrive link, their browser will redirect them to a fraudulent OneDrive page.
- Attempting to open the fake ‘file’ (usually a Word document), the victim will be redirected to a fake Microsoft Account login page. Regardless of whether the victim is signed in or not, the fake webpage will require them to input their username & password for their Microsoft account in order to access the Microsoft Word document they have been lured to open.
Doing this transmits the victim’s credentials straight to the hacker. This means that the victim’s entire Microsoft account is compromised, including potentially sensitive information on OneDrive and Outlook.
And if the victim has used similar login details for other accounts, they’re likely to be compromised elsewhere.
How to protect your business against phishing
Spotting a Phishing Attack
Boosting your cyber resilience is a good starting point.
Part of this is making your staff aware of the clear signs of a phishing attack. Here are just a few things you must look out for:
Inconsistent spelling and layout
A clear sign of a phishing attempt, whether it’s via a webpage or an email is an inconsistent layout from what you would normally expect – and especially, poor spelling and grammar.
Whilst mistakes happen, company websites (especially Microsoft’s OneDrive) are professional and will not contain spelling and grammatical errors. Let’s look at the following example of a UK Gov phishing attack. This one is quite subtle.
Look carefully at the two paragraphs. The font of the second paragraph is different to the first, implying that the content has been hastily formatted due to a quick copy and paste job.
Subtle signs like this are the sorts of things you need to look out for.
Another example of a phishing attack is vague content. This applies to both emails and direct messages on LinkedIn.
Perhaps the communication begins ‘Dear Sir/Madam’, or even foregoes an initial greeting entirely. Whilst this lack of personalisation is not proof of a phishing attack, it does suggest that the communication may have been sent en-masse. Depending on who you’re talking to, you’ll know how the sender usually speaks.
If you receive a dubious communication via email, check the address
If you’re suspicious, it’s always worth double-checking the sender’s email address.
These days, it’s easy to get into a habit of simply reading the name of the sender, rather than the address. For example, ‘Lynsey at Neuways’ as seen below.
Lynsey at Neuways <email@example.com>
However, the actual email address will help you determine whether the communication is legitimate or not.
In this example, we’re familiar with the email address ‘firstname.lastname@example.org’, therefore it is a legitimate correspondence.
However, if it was written as ‘marketIng@neuwayz.com’, we would know that it’s a spoof email.
Of course, if the sender’s account has been hacked, then you could receive a phishing email from a ‘genuine’ contact. There are other signs, however, if you’re unsure…
Use Password Tools
We recommend using a password generator in conjunction with a password manager.
A password generator guarantees strength and variety in your login credentials. The reason this is important is that even if you’re able to prevent access to your Microsoft account with MFA, a hacker could still use your compromised password to access your other services (LinkedIn, Facebook, Gmail etc.)
A password manager stores these randomly generated passwords securely and, with single sign on (SSO), ensures that you only need to sign into your services once.
Multi-Factor Authentication (MFA)
MFA is the layering of security through two or more factors.
For example, your password is one factor. Another factor might be a code to an email address or mobile device. A third factor could be voice or fingerprint recognition. You can read more about this on our Guide to Multi-Factor Authentication.
MFA can help protect your staff because even if their credentials are successfully phished by an attack like this, the attacker cannot access their Microsoft account without access to at least one other factor. The likelihood of a criminal knowing both your password and having access to your mobile device is slim.
We recommend deploying MFA against every cloud service you make use of – and if it’s not available for that service, investigate moving that specific service to another provider that does.