- Security researchers find PHISHING Electronic Posts that falsifies LinkedIn notifications
- Electronic emails are distributing Connectwise’s remote access Trojan
- There are multiple red flags, which include false companies, false images and more
Cybercriminals are falsifying LinkedIn’s electronic notification emails to deliver Connectwise remote access malware (Rat), experts warned.
A new report by Cybersecurity researchers Cofense Intelligence points out that the Phishing campaign probably began in May 2024 with an email imitating a notification that LinkedIn would send to a person when he receives a message from Inmail. The business platform does not allow people who are not connected to exchange messages, unless the sender is a premium member (paying). Then, they can use a service called Inmail to communicate with people with whom they are not connected.
Receiving this message would activate a LinkedIn email notification, which is what the attackers are falsifying here.
Omitting email filters
There are multiple red flags in email. First, the template used has been eliminated by LinkedIn almost five years ago. Then, the alleged project manager/sales director who sends the message does not exist, and the attached photo is labeled as “Executive16.png”. The profile image used in the email belongs to the president of the Korean company of the Civil Engineering Law, a person named Cho So-Young.
Finally, the company for whom the sender supposedly works is called “Dongjin Weidmüller Korea Ind” and does not exist.
The email comes with one of the two buttons: “Read more” and “respond to”. Both activate the Connectwise download, a remote administration tool that was originally part of Connectwise Screenconnect, a legitimate remote desktop software used for support and administration of IT. However, cybercriminals have kidnapped and abused him as a remote access Trojan (rat) to obtain unauthorized control over the systems.
The email made security filters mainly due to how the email authentication configuration was configured in the recipient system, the researchers added.
Although the email failed SPF. This happened because the email security policy, specifically DMARC (authentication of messages, reports and compliance with domain -based messages) was established in “Oreject” instead of completely rejecting suspicious emails.
It is likely that this configuration allowed the email to be marked as spam, but still land in the recipient’s entrance tray.
