Hackers are abusing LinkedIn to target finance executives with direct-message phishing attacks that impersonate executive board invitations, aiming to steal their Microsoft credentials.
The campaign was spotted by Push Security, which says it recently blocked one of these phishing attacks that began with a LinkedIn message containing a malicious link.
BleepingComputer has learned that these phishing messages claim to be invitations for executives to join the executive board of a newly created "Common Wealth" investment fund.
"I'm excited to extend an exclusive invitation for you to join the Executive Board of Common Wealth investment fund in South America in partnership with AMCO - Our Asset Management branch, a bold new venture capital fund launching a Investment Fund in South America," reads the LinkedIn phishing message seen by BleepingComputer.
These phishing direct messages end by telling the recipient to click a link to learn more about the opportunity.
However, Push Security says that once the recipient clicks the link, they are sent through a series of redirects. The first redirect is via a Google open redirect that leads to an attacker-controlled site, which then redirects to a custom landing page hosted on firebasestorage.googleapis[.]com.
Redirect chain used in the phishing attack
Source: Push Security
Some of the malicious domains used in this campaign, seen by Push Security and BleepingComputer, include payrails-canaccord[.]icu, boardproposalmeet[.]com, and sqexclusiveboarddirect[.]icu.
The Firebase page pretends to be a "LinkedIn Cloud Share" portal containing various documents related to the board membership position and their responsibilities.
... continue reading