Catch Of The Week: COVID-19 Phishing Via LinkedIn

Screenshot of a COVID-19 phishing message. Courtesy/Becky Rutherford

Los Alamos

COVID-19 phishing scams… so hot right now. Check out the latest and greatest, straight from my inbox (First screenshot of the phishing message above. Second screenshot is posted at the bottom of the story).

LinkedIn is a great way to build your professional network and make connections, but this is not the kind of connection I want to make. Yes, this is relatively obvious, but let’s go over the signs that this is malicious:

Do I know the sender? Am I expecting information about a government grant from the CDC? No, I am not. If you don’t know the sender, don’t trust the message. Delete it. If you are concerned, it might be something legit, contact the company “out of band”; go directly to their website, call a verified customer service number, etc.

Typos. This message is from a “Project Manager” at the “Centers for Decease Control and Prevention”. Also, the OneDrive link is spelled “CONVID” rather than “COVID”. There are usually clues like typos or grammatical errors in phishing emails, though certainly not always.

A couple of things to note in the second example; this is linking to a legitimate Microsoft OneDrive ( a cloud storage provider) site, and the link is https. What is https? Hypertext Transfer Protocol Secure; this means that communications are encrypted to protect the information you send to and from websites. Back in the good old days (like a couple of years ago), we could tell users that if a link was https, it was probably safe to click. Unfortunately, now it is easy to get an SSL cert for your site and run the website as https. Https does not mean a site is safe to visit; it just means that your data will be encrypted while being stolen. Not helpful.

Another trend; bad guys like to abuse legitimate cloud hosting services like OneDrive, Google Drive, etc. to serve up phishing sites. Why? If your email service uses any kind of filtering (most do), it probably blocks emails with links to malicious websites. But if you get an email with a link to a legitimate cloud service like OneDrive, how will your email know to filter it out? It will probably get through, and you might click it. Just because a link is hosted on a legit service like OneDrive does not mean you can trust it; anyone can set up a site and host whatever they want on it.

I do not know what the actual phishing site looks like (don’t click the link!), but I am betting it is a credential stealer. The phishing “landing page” will likely be spoofing Microsoft and asking you to log in to view the message. Then it will steal your credentials and use them to access your Microsoft account and any linked accounts, not good.

The profile this was sent from was likely compromised, though I cannot say for sure. If you do not have 2FA (Two Factor Authentication) set up on all of your social media accounts, now is the time to do so. Without that added layer of protection, your accounts are substantially more likely to get compromised. Microsoft engineers speaking at the RSA cybersecurity conference said that 99.99% of the compromised Microsoft email accounts they track did not have 2FA enabled. So if you enable 2FA, you have a .01% chance of your account being compromised; I like those odds. How can you set up 2FA? Either through text message authentication or an authenticator app like Google Authenticator, Authy, LastPass Authenticator, etc.

This message was sent to me via LinkedIn InMail, a messaging tool that recruiters and others can pay for as a premium service to directly message LinkedIn members. The scary thing is that in addition to the message going into my LinkedIn inbox, it also went straight into my personal email inbox. Cybercriminals love to abuse legitimate services; it adds that hint of authenticity to the scam.

If you get a suspicious message like this through any social media account, be sure to report it. In this case, I reported the message to LinkedIn as spam and also reported the profile it came from as likely to be compromised. I also contacted Microsoft and let them know the OneDrive site is likely a phishing site.

I deleted the messages from my inbox after reporting them. I’m sure more scams will immediately pop up, but it is always good to report these.

COVID-19 has everyone scared and distracted, and the bad guys know it’s the perfect time to catch us off guard. Everyone is a target for scams like these; be aware and don’t fall for a phish.

Second screenshot of the phishing message. Courtesy/Becky Rutherford

Editor’s note: Becky Rutherford works in information technology at Los Alamos National Laboratory.