- Security researchers find phishing -e -emails that counterfeit LinkedIn -Messages
- E -Mails Distribute Connectwise Remote Access Trojan
- There are more red flags, including fake businesses, fake images and more
Cybercriminals Spoofing of LinkedIn -Odelance -e emails to provide Connectwise Remote Access Trojan (RAT) Malware, experts have warned.
A new report from CyberSecurity -Scientists Cofense Intelligence notes that the Phishing -Campaign probably started in May 2024 with an E email that mimics a review LinkedIn would send to a person when receiving an inmail message. The business platform does not allow people who are not associated with exchanging messages unless the sender is a premium (paying) member. Then they can use a service called Inmail to reach out to people with whom they are not associated.
Receiving such a message would trigger an E -mail message from LinkedIn, which is, as is what attackers forged here.
Bypassing E -mail -filters
There are several red flags IE mail. First, the template used is phased out by LinkedIn almost five years ago. Thereafter, the supposed project manager/sales director who sends the message is not found and the attached photo is labeled “Executive16.png”. The profile picture used in the email is one of the president of the Korean community in the Civil Engineering Court, a person called Cho So-Young.
Finally, the company that the sender allegedly works is called “Dongjin Weidmüller Korea in”, nor does it exist.
The e email comes with one of two buttons: “Read more” and “Reply to”. Both trigger the download of Connectwise, a remote management tool that was originally part of Connectwise Screenconnect, a legitimate remote desktop software used for IT support and management. However, cyber criminals have hijacked it and abuse it as a remote access Trojan (rat) to gain unauthorized control over systems.
The e -mail made it past security filters primarily due to how E -mail -approval settings were configured on the recipient’s system, the researchers added.
Although the e -mail failed SPF (sender policy framework) and was not signed with DKIM (Domainkey’s identified mail), it was still not directly rejected by the system. This happened because the email security policy, specifically DMARC (domain-based notification approval, reporting and conformity), was set to “Orejekt” instead of fully rejecting suspicious emails.
This setting probably made the E -mail be marked as spam but still lands in the recipient’s inbox.
