| | | Effective PR

LinkedIn security scare

Editorial Staff

"We discovered that our data source was modified by an unauthorized agent" says the e-mail that purports to be from LinkedIn. But it isn't. And there's even a little hint at the end to prove it.


The mail is headed "Your account will be deleted" and the sender is described as "LinkedIn Security". But the sender's email address (murrypvz6wlul@hotmail.com) is at Hotmail (both LinkedIn and Hotmail are owned by Microsoft but it is highly unlikely that LinkedIn would be using an e-mail service that is infamous for allowing anonymous accounts and hosting spam. But Hotmail is not the only problematic product: Outlook has become a product of choice for cybercriminals and this mail is no exception: its source is AM6PR02MB4787.eurprd02.prod.outlook.com and is run through MS-Exchange.

The body of the message is as follows:

Dear user,

During our SSL update, we discovered that our data source was modified by an unauthorized agent.

To protect your privacy, we have established a measure to protect your account and protect your privacy.

After implementing this action, several accounts are systematically deleted to prevent an unauthorized agent from scanning our data source.

We recommend that you confirm your account or your account will be deleted.

Confirm your account

Best regards.
The LinkedIn Security Team [LinkedIn]
This email was intended for our esteemed users . Learn why we included this.
© 2019 LinkedIn Corporation, 1000 West Maude Avenue, Sunnyvale, CA 94085. LinkedIn and the LinkedIn logo are registered trademarks of LinkedIn.


Of course, those who foolishly allow email programs to display HTML won't see that there is a fake link and are encouraged to click on a link that goes to a domain with a dot ke TLD. The link itself is cleverly formed with a wwwdotlinkedindotcom directory address so that, at a cursory glance even the fake link will look authentic. It is noticeable that the address which appears to have been hacked to place a fake LI landing page is at a site which is not marked as HTTPS.

So what's the tweak that gives it away? It's the insertion of the word "esteemed" which is widely used in India and the Middle East and cultures influenced by them.

We have not, of course, clicked the link. It might be a spam scam or worse auto-download malware.

This is a potentially enormously harmful spam : its targets are people who are likely to be busy executives, well aware of scams relating to a wide range of issues but equally attuned to data breaches and, therefore, already a "warm lead." For this reason, this warning should be widely distributed within readers' organisations.

Our multi-level spam filters identified it at several stages but interestingly the content passed all filters. It was the technical information in the header that identified it.

-------------- UPDATE 30/12/2019 13:05 ---------------------

In the past few minutes, a heavily encoded message has arrived from the same general source (outlook/hotmail) (did not display in plain text or html) which included in its subject line was the LinkedIn password for that account. The LinkedIn account showed more than 40 active logins, most of which were not from my ISP.

Time for caution, perhaps?

---------------- Advertising ----------------

World NomadsTravel Insurance | | Singapore Airlines