Phishing scams are one of the most often done owing to their simplicity and sadly, reliability as well. In the latest, researchers from ArmorBlox have discovered a new LinkedIn phishing campaign that targeted approximately 700 users through Google Workspace by hosting the phishing page on Google Forms.
The phishing email itself prompted users to verify their LinkedIn accounts with the subject line including the potential victim’s name as well to make it look more authentic:
As seen, there were 3 different hyperlinks in the email but all of them eventually redirected the victim to the phishing page. Furthermore, the sender’s email address as shown above appears to be from Paul University which is based in Nigeria.
According to the researchers, this hasn’t been spoofed but it is a real email address of the university which the attackers seem to have taken control of helping them bypass email “authentication checks like SPF, DKIM, and DMARC.”
However, even if they did take control of it, users should know that no one except LinkedIn would be asking them to verify their account in such a situation (unusual activity observed as stated in the email). And even if LinkedIn did, they would not do so through a Google forms page. Yet, lack of awareness in such cases victimizes many.
The form page on the other hand also bypassed email security checks since Google Forms itself is not a malicious site. It asked users for their username and passwords which would then be sent in plain text to the attackers. This is similar to previous malware campaigns that we have covered where attackers used the cover of legitimate services to evade built-in security checks.
To conclude, identifying such a scam is not difficult for someone who knows about basic cybersecurity. But for others, it can be a challenge, and therefore awareness needs to be raised through government and private sector efforts. In the future, better email security mechanisms can be thought of to tackle such attacks.