Phishing for Credentials in Social Media-Based Platform Linktree
Social media is designed of course to connect, but legitimate modes of doing so can be abused. One such case of abuse that’s currently running involves Linktree, a kind of meta-medium for social media users with many accounts. If you’re unfamiliar with Linktree, which, we stress, is a legitimate service, here’s how the company describes what it will let you do. “Connect your TikTok, Instagram, Twitter, website, store, videos, music, podcast, events and more,” Linktree says. ”It all comes together in a link in a bio landing page designed to convert.” And you can “Get started for free.”
Researchers at Avanan have found that criminals are using Linktree as a means of contacting people whom they subsequently induce to give up their credentials. It’s an impersonation scam with a phishing email as the initial attack vector. “In this attack,” Avanan writes, “hackers are creating legitimate Linktree pages to host malicious URLs to harvest credentials.”
“In this attack, end-users get an email with a spoofed Microsoft OneDrive or Sharepoint notification that a file has been shared with them, instructing them to open the file.” The URL the recipient is directed to follow is superficially plausible, but on closer inspection can be seen as the imposter it is.
“The URL in the email redirects victims to the Linktree page. Here the hacker has built a simple button that redirects them to the third and final page. Finally, the user is redirected to this fake Office 365 login page, where they are asked to enter their credentials. Of course, that’s where those credentials will be promptly stolen.”
It’s another case of a legitimate service being abused in ways that typically evade detection by technical screens. It’s Linktree, right? What could go wrong? Seems legit. This is another case in which new school security awareness training can train users to be alert to the possibility of scams. An aware user is the ultimate defense against social engineering.
Avanan has the story.
Free Phishing Security Test
Would your users fall for convincing phishing attacks? Take the first step now and find out before bad actors do. Plus, see how you stack up against your peers with phishing Industry Benchmarks. The Phish-prone percentage is usually higher than you expect and is great ammo to get budget.
Here’s how it works:
- Immediately start your test for up to 100 users (no need to talk to anyone)
- Select from 20+ languages and customize the phishing test template based on your environment
- Choose the landing page your users see after they click
- Show users which red flags they missed, or a 404 page
- Get a PDF emailed to you in 24 hours with your Phish-prone % and charts to share with management
- See how your organization compares to others in your industry
PS: Don’t like to click on redirected buttons? Cut & Paste this link in your browser: https://info.knowbe4.com/phishing-security-test-partner?partnerid=001a000001lWEoJAAW