Widespread LinkedIn Accounts Hijacking Campaign

As reported by the Cyberint research team, there has been widespread hacking attempts on LinkedIn accounts resulting in many accounts being locked out for security reasons, or ultimately hijacked by attackers.

Some of the victims have received ransom requests (typically requesting a few tens of dollars) to regain control of their accounts, or face permanent account deletion. Others have witnessed their accounts being deleted outright.

Due to this campaign, many victims have logged support requests to LinkedIn for assistance in regaining back their accounts. This has had the effect of lengthening the response time. Faced with the possibility of permanent account deletion and frustration by the lack of response, some victims have turned to social media to further amplify their pleas.

Let’s discuss how the threat actors were able to successfully carry out this campaign.

Attack Method

There are a few potential methods by which the threat actors might have first gained access to the affected LinkedIn accounts. One possibility is that they may have obtained data from a previous LinkedIn breach and are leveraging it to breach accounts that lack two-step verification. Another method could involve the use of brute force tools to penetrate the accounts, particularly those with weaker passwords.

The campaign has resulted in 2 distinct scenarios:

• Temporary account lockout: In this scenario, the accounts have not been compromised. However, they have been temporarily locked due to suspicious activity or hacking attempts e.g. unsuccessful password or 2FA brute-force attack. After blocking these attempts, LinkedIn sends an email to the affected users to reset their passwords so as to regain access.

• Full Account Compromise: In this scenario, the victims’ accounts are fully compromised. To ensure account restoration is impossible, the threat actors alter the account’s associated email address to another email address, often using possibly generated addresses using the mail system of rambler.ru. Then they also change the account password, and in some instances even turn on 2FA.

The attackers then demand a small ransom to give the accounts back to the original owners, or outright deleted the accounts without asking for anything.

Campaign Impact

Although the specific intentions of the threat actors are still uncertain, whether they are financial, phishing, or internal information acquisition, the potential impact on victims is serious. Users’ substantial efforts in building connections, followers, and reputations over time could be destroyed in seconds.

The threat actors could use the compromised accounts to:

• Demand a ransom from the victims for them to regain access to their accounts.

• Exploit the compromised accounts for social engineering purposes, e.g. job scams, phishing attacks, etc.

• Carry out data gathering of valuable or sensitive information exchanged via LinkedIn conversations.

• Cause reputational damage to the victims by publishing malicious content, and sending damaging messages to connections.

Safeguarding your Account

So, what should you do if you're worried that your LinkedIn account might be the next one to be hijacked by cybercriminals?

1. Check Account Access: It is advisable to log into your account and confirm your continued access promptly. Also, make sure all your contact information is genuine and yours. If you find yourself locked out and unable to recover using your email, reach out to LinkedIn support immediately.

2. Check if your email: Verify your email inbox for any messages from LinkedIn indicating the addition of an extra email to your account. If you didn’t initiate this action and find such an email, consider it a significant warning sign. Ensure that you can still log in to your account, change your password, and remove the added email address from your contact details.

3. Password Security: Employ a strong and lengthy password unique to your LinkedIn account, avoiding password reuse across platforms. A password manager can assist with this.

4. Two-Step Verification: Enabling the two-step verification feature for your LinkedIn account is highly recommended. This measure enhances security for LinkedIn and all platforms offering this option.

References

• https://cyberint.com/blog/research/linkedin-accounts-under-attack-how-to-protect-yourself/

• https://www.bleepingcomputer.com/news/security/linkedin-accounts-hacked-in-widespread-hijacking-campaign/

• https://www.helpnetsecurity.com/2023/08/16/linkedin-account-hacked/

• https://www.tripwire.com/state-of-security/linkedin-under-attack-hackers-seize-accounts

• https://www.darkreading.com/attacks-breaches/linkedin-suffers-significant-wave-of-account-hacks