LinkedIn has recently seen a dizzying increase in account takeover attacks in the last year. In 2022 already, phishing attacks on LI were already up 232% year on year.
In the last 12 months an initial campaign around mid-2023 propelled search terms such as “linkedin breach” or “linkedin account recovery” to multiple times their usual baseline traffic.
This SEO traffic has not abated and keeps surging forward, and new terms such as “linkedin contact number” suggest a tectonic rise in cyberattacks on the platform.
LinkedIn reportedly struggled to face the initial onslaught. At the height of the account takeover campaign, LI customer support teams were on occasion unable to get back to distraught users in less than 3 or 4 business days.
How do LinkedIn account takeover attacks work?
LinkedIn accounts have come under structural levels of cyber attacks most notably since mid-2023. Cyber criminals launched a structured campaign of systematic account takeovers, which expanded in scale over the last year.
As for most cyber criminality around account takeover, or account fraud, cybercriminals must first steal, or somehow come in possession of the user credentials (keyword, email, and/or mobile #). They did so far, mostly by:
Phishing / Advanced phishing and AI generated phishing
There are many techniques to steal credentials, but the most common one online is phishing, or AI type advanced phishing, its latest incarnation. Gen AI can now break a variety of cybersecurity such as 2D facial recognition or voice authentication.
It can also help cybercriminal design extremely compelling, virtually identical phishing messages (and landing pages) as those used by a valid company.
Here the cybercriminals used advanced phishing techniques to spoof LinkedIn emails that perfectly mimicked the visual tone of LI and sent those to LI users when they had their email.
They chose an appealing message, checking one’s profile views, spoofed to perfection (“
Your LinkedIn profile appeared 24 times this week!”) to harvest further user data.
Man in the middle attacks
Brute force and credential stuffing
Users who had only set up keyword/email authentication were much more commonly victims of brute-force attacks or keyword stuffing.
Brute force attacks involve the use of automated bots to test and identify credentials, in order to break into compromised accounts.
Credential stuffing is a terms used to describe another type of cyber criminal automation: This time cybercriminals may attempt all the combinations passwords/email addresses, they’ve found in a large data dump, on the dark web etc.
Social engineering
Users may be able at times to stick to a specific user for a while, in order to acquire gradually more and more personal data, and credentials, about them.
Social engineering is a very broad and “human” type of fraud, as it relies on real life interactions. A scammer may for example connect with you on Facebook, where they will gather a first layer of information should you approve them.
They can then move on to another social media platform, say X, attempt to connect on there also, using a highly custom message based on the information already gathered from FB. By then they can typically gather even more information on your profile, business and professional.
Finally they may attempt to “get closer” by connecting with you on a dating app, using precise geolocation targeting and knowing all about your physical appearance and tastes.
In this more private setting, the cybercriminal can then often extract further key information from the victim by pretending to be a potential date (mobile number, DOB, etc.)
