LinkedIn Redirect Abuse
Jun. 10, 2024
Key Points
- Approximately 117,000 messages were observed abusing LinkedIn generated redirect across two major campaigns between March and April 2024
- This redirect technique helps threat actors evade traditional security measures by hiding a malicious link in the URL for a trusted domain.
- The primary intent was to steal credentials of recipients most likely to sell for profit.
Introduction
Threat actors are continuing to abuse a redirect that can be generated through LinkedIn, encouraging potential victims to click through to a malicious webpage designed to steal credentials.
The redirects are generated from public facing pages on LinkedIn for personal or company profiles. These profiles will include a section with a link to an external site which can be retrieved as a redirect URL generated by LinkedIn. This technique can help threat actors bypass security measures designed to protect against malicious URLs and land an email into the inbox of unsuspecting victims.
Campaigns
There have been 2 major campaigns observed across two days in March and April 2024, using a similar theme of notifying the recipient they have received a new audio message review, with a link to click through to listen.
Subject:1Message Received From Caller
Subject:INTEL NEW
By analyzing the headers for the email, we can see that it was sent from an Amazon SES account likely compromised by the threat actor. The benefit to the threat actor of compromising an SES account is they can then send malicious emails from a trusted source where the regular security including SPF, DKIM and DMARC will most likely pass.Redirect
Below is a LinkedIn URL redirect example taken from the second campaign.
hxxps://www.linkedin[.]com/redir/redirect?url=https%3A%2F%2Flookerstudio%2Egoogle%2Ecom%2Fs%2FscrHqwjeA3k&urlhash=dcQj&trk=public_profile-settings_topcard-website
This LinkedIn redirect is not an open redirect, meaning it cannot be abused simply by replacing the section of the URL query containing the redirect destination. This implies the threat actor had to generate the URL from LinkedIn. The threat actor likely generated this redirect by creating a public profile through LinkedIn then adding sections to it which contain a link to an external resource. A threat actor can then copy the redirect generated by LinkedIn and paste it into an email campaign.
Redirect Chain
Looking at one of the LinkedIn redirect links from one of the above campaigns…
URL format:
hxxps://www.linkedin[.]com/redir/redirect?url=https%3A%2F%2Flookerstudio%2Egoogle%2Ecom%2Fs%2FscrHqwjeA3k&urlhash=dcQj&trk=public_profile-settings_topcard-website
Landing page
hxxps://lookerstudio.google[.]com/reporting/ce8908e1-d4e1-46d1-9087-7b8dc3e8dd6f/page/67CrD?s=scrHqwjeA3k
Captcha
The threat actor has included a Cloudflare captcha through one of the redirect URLs to make it difficult for security tools to scan the link and determine if the final URL resolved to is malicious.
hxxps://okc.palledon[.]com/?unkbjkwn=0aae36c6e061aa3f26cbcc34c062b75b18a753529a21b5df81391f2085dc3140ab0c7064a0c6b7ff5bf35f00be826d862bbb107de90164655f78f7ddf91fc468
Credential capture page
Final phishing page impersonating Microsoft online to capture and steal user credentials.
hxxps://index.keltinag[.]com/?ay14c1s87=aHR0cHM6Ly9sb2dpbi5taWNyb3NvZnRvbmxpbmUuY29tL2NvbW1vbi9vYXV0aDIvYXV0aG9yaXplP2NsaWVudF9pZD0wMDAwMDAwMi0wMDAwLTBmZjEtY2UwMC0wMDAwMDAwMDAwMDAmcmVkaXJlY3RfdXJpPWh0dHBzJTNhJTJmJTJmb3V0bG9vay5vZmZpY2UuY29tJTJmb3dhJTJmJnJlc291cmNlPTAwMDAwMDAyLTAwMDAtMGZmMS1jZTAwLTAwMDAwMDAwMDAwMCZyZXNwb25zZV9tb2RlPWZvcm1fcG9zdCZyZXNwb25zZV90eXBlPWNvZGUraWRfdG9rZW4mc2NvcGU9b3BlbmlkJm1zYWZlZD0xJm1zYXJlZGlyPTEmY2xpZW50LXJlcXVlc3QtaWQ9YzFjZTlkYTEtNmM1OS1kNDhmLWI0Y2YtZjZiZjM2ZDgxYWU2JnByb3RlY3RlZHRva2VuPXRydWUmY2xhaW1zPSU3YiUyMmlkX3Rva2VuJTIyJTNhJTdiJTIyeG1zX2NjJTIyJTNhJTdiJTIydmFsdWVzJTIyJTNhJTViJTIyQ1AxJTIyJTVkJTdkJTdkJTdkJm5vbmNlPTYzODUxOTAwNDY4MDYwMTAxMS41ZjcwYmQxZi05YWQ5LTQ3OTMtYmZiZS05MWI3NTBjYWUyZDYmc3RhdGU9RGN0QkZvQWdDQUJSck5keFNNZ0VPWTZrYmx0Ml9WajgyVTBDZ0Qxc0lWRUVWRXFyYkVTM05CSmlZajdyVXZMQkM2MFB3MXV0b0MtZmFPeGE2ZW56R3BMaVBmTDc5ZndE
Decoding the base64 query string on the end of the credential capture page URL decodes to:
hxxps://login.microsoftonline[.]com/common/oauth2/authorize?client_id=00000002-0000-0ff1-ce00-000000000000&redirect_uri=hxxps://outlook.office[.]com/owa/&resource=00000002-0000-0ff1-ce00-000000000000&response_mode=form_post&response_type=code id_token&scope=openid&msafed=1&msaredir=1&client-request-id=c1ce9da1-6c59-d48f-b4cf-f6bf36d81ae6&protectedtoken=true&claims={"id_token":{"xms_cc":{"values":["CP1"]}}}&nonce=638519004680601011.5f70bd1f-9ad9-4793-bfbe-91b750cae2d6&state=DctBFoAgCABRrNdxSMgEOY6kblt2_Vj82U0CgD1sIVEEVEqrbES3NBJiYj7rUvLBC60Pw1utoC-faOxa6enzGpLiPfL79fwD
Attack Pattern
Given the complexity of the infrastructure used to steal credentials, it is likely the threat actor will have used a well known phishkit or phishing as a service tool (PhaaS) which will have provided ready to go infrastructure maintained by the owner of the service.
Here is a summary of the attack pattern utilized for these campaigns:
- Infrastructure established
- Multiple domains registered to host some of the stages of the redirect chain including the Cloudflare Captcha page and the final credential phishing page
- Web services abused
- Google Looker Studio to host initial landing page
- Cloudflare Captcha to evade URL scanners
- Social media tool abused
- Public facing LinkedIn page created. Probably a company profile with an external link to the initial landing page in Looker Studio
- Email accounts compromised
- Amazon SES accounts compromised to distribute malicious emails containing LinkedIn redirect from
Tactics, Techniques, and Procedures
- T1586.002 - Compromise Accounts Email Accounts
- Threat actor compromised Amazon SES accounts to distribute malicious emails
- T1583 - Acquire Infrastructure
- Domains registered to host Cloudflare Captcha and credential phishing page (probably through a phishkit or PhaaS tool)
- T1583.006 - Acquire Infrastructure: Web Services
- Threat actor used Google Looker Studio to stage a landing page for the LinkedIn redirect
- Redirect generated through LinkedIn
- T1566.002 - Phishing: Spearphishing Link
- Emails distributed with malicious LinkedIn redirect