February 3, 2022

If you received a link to LinkedIn.com via email, SMS or instant message, would you click it? Spammers, phishers and other ne’er-do-wells are hoping you will, because they’ve long taken advantage of a marketing feature on the business networking site which lets them create a LinkedIn.com link that bounces your browser to other websites, such as phishing pages that mimic top online brands (but chiefly Linkedin’s parent firm Microsoft).

At issue is a “redirect” feature available to businesses that chose to market through LinkedIn.com. The LinkedIn redirect links allow customers to track the performance of ad campaigns, while promoting off-site resources. These links or “Slinks” all have a standard format: “https://www.linkedin.com/slink?code=” followed by a short alphanumeric variable.

Here’s the very first Slink created: http://www.linkedin.com/slink?code=1, which redirects to the homepage for LinkedIn Marketing Solutions.

The trouble is, there’s little to stop criminals from leveraging newly registered or hacked LinkedIn business accounts to create their own ad campaigns using Slinks. Urlscan.io, a free service that provides detailed reports on any scanned URLs, also offers a historical look at suspicious links submitted by other users. This search via Urlscan reveals dozens of recent phishing attacks that have leveraged the Slinks feature.

Here’s one example from Jan. 31 that uses Linkedin.com links to redirect anyone who clicks to a site that spoofs Adobe, and then prompts users to log in to their Microsoft email account to view a shared document.

A recent phishing site that abused LinkedIn’s marketing redirect. Image: Urlscan.io.

Urlscan also found this phishing scam from Jan. 12 that uses Slinks to spoof the U.S. Internal Revenue Service. Here’s a Feb. 3 example that leads to a phish targeting Amazon customers. This Nov. 26 sample from Urlscan shows a LinkedIn link redirecting to a Paypal phishing page.

Let me be clear that the activity described in this post is not new. Way back in 2016, security firm Fortinet blogged about LinkedIn’s redirect being used to promote phishing sites and online pharmacies. More recently in late 2021, Jeremy Fuchs of Avanan wrote that the use of a LinkedIn URL may mean that any profession — the market for LinkedIn — could click.

“Plus, more employees have access to billing and invoice information, meaning that a spray-and-pray campaign can be effective,” Fuchs wrote. “The idea is to create a link that contains a clean page, redirecting to a phishing page.”

In a statement provided to KrebsOnSecurity, Linkedin said it has “industry standard technologies in place for URL sharing and chained redirects that help us identify and prevent the spread of malware, phishing and spam.” LinkedIn also said it uses 3rd party services — such as Google Safe Browsing, Spamhaus, Microsoft, and others — to identify known-bad URLs.

KrebsOnSecurity couldn’t find any evidence of phishers recently using LinkedIn’s redirect to phish LinkedIn credentials, but that’s certainly not out of the question. In a less complex attack, an adversary could send an email appearing to be a connection request from LinkedIn that redirects through LinkedIn to a malicious or phishous site.

Also, malicious or phishous emails that leverage LinkedIn’s Slinks are unlikely to be blocked by anti-spam or anti-malware filters, because LinkedIn is widely considered a trusted domain, and the redirect obscures the link’s ultimate destination.

Linkedin’s parent company — Microsoft Corp — is by all accounts the most-phished brand on the Internet today. A report last year from Check Point found roughly 45 percent of all brand phishing attempts globally target Microsoft. Check Point said LinkedIn was the sixth most phished brand last year.

The best advice to sidestep phishing scams is to avoid clicking on links that arrive unbidden in emails, text messages and other mediums. Most phishing scams invoke a temporal element that warns of dire consequences should you fail to respond or act quickly. If you’re unsure whether the message is legitimate, take a deep breath and visit the site or service in question manually — ideally, using a browser bookmark to avoid potential typosquatting sites.


24 thoughts on “How Phishers Are Slinking Their Links Into LinkedIn

  1. Just an End User

    When legitimate companies outsource their mass mailings and use an alphabet-soup of recipient-unique links and/or a train station’s worth of redirects, it may make for more efficient marketing, but it also aids and abets phishers and typo-squatting.

    I’m probably preaching to the choir here, but this has long been a pet peeve…

  2. Daniel D. Teoli Jr.

    I’ve been suckered in sometimes. One time from the Russian Twitter scammers. I’m kinda careful now, but still, no one if perfect. LinkedIn suckered me into some of their promotions that didn’t seem like a promotion. But it was just a time-wasting annoyance and not dangerous.

    My suggestions is use a cheap tablet for internet surfing or a disposable computer. If it gets a virus, it won’t kill your main computer You still have to be careful with entering personal info even if no ransomware lock-up of your computer. But you can click away and not worry about losing too much just by clicking links.

    It is getting worse and worse every day. And with our soft on crime new world order, why should it get better? There is no penalty, so why not? I archive some of the spam / robocalls and spam faxes, but I can’t keep up. I only have time for archiving a fraction of them. I may get 600 to 800 spams a week…just on 1 email account. (I got 4 accounts.)

    Here is an example of the amount of SPAM I got over a two-hour period on 1 of my email accounts.

    https://archive.org/details/spam-emails-received-over-a-2-hour-period-on-10.27.21-ddtjrac

    Here are a few of the notable SPAMS I’ve archived at the I.A.

    https://archive.org/search.php?query=spam+ddtjrac&page=2

    If suspicious I do as you say and go to the website to see if it is real. Or call the phone number on my credit card. A couple years ago my computer got locked up from a Google search. I clicked on the top result and boom! Call them to buy the unlock key or you lose your data. When that happens, I shut down the computer ASAP and restart and am usually OK. (But not always)

    Another phishing trick is to show photos relating to you on Google searches or send in phishing reviews with links at the I.A. As a photographer, I routinely do a Google image search of my name/s to see how material is being used. One time I clicked on the image of my photo, I went to the site and it was another lockup scam. They reel you in by any means possible. It is so stressful.

    1. Kenny

      You don’t have to use other device. QubesOS is exactly what you are looking for.

    2. vb

      I use a Chromebook for Internet surfing. I have no worries for viruses or ransomware. I can logout or “Powerwash” and loose nothing.

  3. mealy

    If you received a link to LinkedIn.com via email, SMS or instant message, would you click it?

    Depends! Are you insane?

  4. Ralf

    Question from a naive user – what if one uses 2FA or MFA on vital sites like Microsoft, LinkedIn etc.?
    Does this help?

    1. Joe

      Not really. It will likely prevent the untargeted phishers from gaining access to the specific account, but any accounts that share a password would be in danger as they credential stuff other sites with those credentials. Also, if it is a targeted attack or even just a really sophisticated untargeted attacked, then they may be ready to try (or automate) your login in on the legitimate site and spoof their way through the two factor using what you enter on the spoofed site.

      For instance, there was an article a few weeks ago here about a banking scam where the scammers were wiring money out of accounts and to get around the MFA they would attempt the transaction while the phish was on the line so they could pass the code when prompted.

  5. Stéphane Moureau

    M$ could check the destination… e.g. using virustotal or similar…, like best url shorteners are doing… how simple!
    I have suggested that verification to pinterest, since then I almost never find new malicious/scam… URL on pinterest

  6. Catwhisperer

    Give humanity a collective nervous system, and it proceeds to try to eat itself for chump change, LOL. It’s like you can only trust the link if you type it yourself, perfectly, with no typos because probably the error you made in typing is already typo-squatted. I wonder if (D)ARPA had any idea when it created the internet what a Pandora’s Box would be opened…

    1. moarica

      They didn’t build it with “us all” in mind. They just made a tool. Kids can own guns now.
      We have no idea what we’re all collectively doing but we’re doing it faster all the time.

  7. holdDDoor

    Use a script blocker on your web browser, end of story.

    LinkedIn is a job networking site slash marketing website but just like any website that host personal info.. it can be used by bhats or con artists to get ppi for more advanced social eng hacks. Anyone can create a legit accounts to search job profiles for ppi to by pass the verification system.

    Again, use a script blocker on your web browser.

  8. Nunio

    I’ve never used LinkedIn, and always thought they were evil from the start when they encouraged new users to upload they’re contacts including email addresses so LinkedIn could spam those contacts. Maybe they’ve stopped doing that but it was extremely annoying a few years back.

  9. Cam

    I received an email to take a CVS survey this morning and lo and behold, the link was to linkedin.com…

  10. Some Person

    If your going to have a go at linkedin then don’t stop there, how about you rub twitters nose in it too.
    Their “t.co” cops a lot of abuse and reporting these to them is like pulling teeth in comparison.

  11. Chadonga

    Linkedin became untrusted platform. Im sorry its time to remove my account.

    1. Johnny Kessel

      it is a unrelenting source of information for Phishers and unwanted marketing email in the network I manage.

  12. FrancisT

    Linked in is far from alone in this habit.

    Unless they have fixed it since the last time I got a phish, Jetblue airlines has a similar capability using URLs from change.jetblue[.]com and I have seen others in the past.

    Combine this with LetsEncrypt and a sneaky typosquat domain (e.g. l1nkedin[.]com) or subdomain (linkedin.com.authenticate.duckdns[.]org) and the impersonating site is going to look completely legit and originate from clicking on a valid link in a legit looking email. That makes it extremely easy to impersonate a web site and phish credentials and if the crook uses reverse proxy too he will be able to extract the critical cookies after a successful 2FA login too.

  13. rapidfs

    If your going to have a go at linkedin then don’t stop there, how about you rub twitters nose in it too.

  14. dgcustomerfirst

    Anyone can create a legit accounts to search job profiles for ppi to by pass the verification system.

  15. Amanda Rodguez

    Hello everyone, I almost lost hope on my last contract due to my low credit score. Am so smooth at hiding my infidelity to someone but at this stage I have no choice to express my feeling to the world. I was finally referred to SKY BLUE CREDIT MAX and I explain to him how I was ripped off by some programmers and my score still remain the same. He told me to wait for 48 hours after my first path payment and my score increased to 750 plus excellent and I gained my in peace and got ready for the next contract. I promised to recommend him to the world if my score increases. I do not think anyone can provide you a service better than him and its affordable. Email: @SKYBLUECREDITMAX@GMAIL.COM Or Text: +17069275467

Comments are closed.