Cybercriminals are expanding their playbook. While email and text remain common phishing channels LinkedIn messages are quickly gaining traction as a new favorite target.
According to The Hacker News, LinkedIn has become an appealing target because many professionals—including company executives—access the platform on corporate devices. At the same time, many organizations haven’t put the same safeguards in place to identify and intercept fraudulent LinkedIn messages as they have for email.
“Social media accounts, including LinkedIn, are increasingly being used by cybercriminals to target employees, consumers, and executives,” said Tracy Goldberg, Director of Cybersecurity at Javelin Strategy & Research. “Beyond the lacking multi-factor authentication (MFA) noted in the article, social media channels give consumers false senses of security, because consumers inherently trust communications that come through social media.”
“Add to that the increasing sophistication of infostealers—which readily compromise credentials for account access by scraping and capturing browsing histories and stored cookies—and consumers are at ever-increasing risk of being manipulated by socially engineered attacks like phishing that prey on their psychological vulnerabilities,” she said.
A Launchpad for Campaigns
Infostealers are a powerful class of malware capable of extracting sensitive data from online sources at an alarming scale. Some experts attribute of billions of stolen personal credentials to these tools, driven in part by the vulnerabilities inherent in social media platforms.
“It’s incredibly easy to just take over legitimate accounts,” Goldberg said. “Some 60% of credentials in infostealer logs are linked to social media accounts, many of which lack MFA—because MFA adoption is far lower on nominally ‘personal’ apps where users aren’t encouraged to add MFA by their employer. This gives attackers a credible launchpad for their campaigns, slotting into an account’s existing network and exploiting that trust.”
Expanding the Scope
Although individuals are often the initial targets of LinkedIn phishing campaigns, the ultimate objective is typically to gain access to a larger organization—especially those with extensive cloud infrastructure.
Once an initial foothold is established, cybercriminals can infiltrate company systems to steal protected data for financial gain or launch ransomware attacks against the organization.
Given the rising costs associated with a single breach, organizations should broaden their phishing training and defensive strategies to specifically account for LinkedIn and other social media platforms.
