LinkedIn Experiences a ‘Significant’ Surge in Account Hacks
Users Report Account Lockouts on LinkedIn, Encouraged to Pay Ransom to Regain Access.
Hackers Launch Widespread Campaign to Hijack LinkedIn Accounts, Some Victims Pressured to Pay Ransom for Access”
In recent weeks, a wave of LinkedIn account hijackings has impacted users globally. Some attackers are monetizing these breaches by demanding a small ransom from users to regain access while threatening permanent deletion of accounts. Although LinkedIn, a Microsoft subsidiary, has not issued a public statement regarding this campaign, it has affected individuals worldwide. The surge in account hacks on the professional social media platform is evident through social media discussions and Google searches, with a “significant surge in the past 90 days” noted in a report by Cyberint.
Coral Tayar, a security researcher at Cyberint, highlighted that LinkedIn’s support response time has lengthened due to the high volume of support requests, indicating a noteworthy issue. According to Tayar, “[Google] search queries such as ‘LinkedIn account hacked’ or ‘LinkedIn account recovery’ have experienced a substantial upward trend… while the term ‘breakout’ in place of percentage indicates that the search term grew by over 5,000%.
Two Scenarios of the Attack
LinkedIn, despite not publicly addressing the issue, seems to be aware of suspicious account activities, though it hasn’t commented on the matter. This silence has provoked frustration among users who have experienced these breaches.
In reports of account hacks shared online, two distinct scenarios have emerged, each with its consequences:
LinkedIn temporarily locks users’ accounts due to suspicious activities or hacking attempts. The platform then notifies affected users, prompting them to verify their accounts and update their passwords for account recovery. This scenario often occurs when threat actors attempt to breach accounts with two-factor authentication or conduct brute-force attacks on passwords.
In the more unfortunate scenario, victims’ LinkedIn accounts are fully compromised, making independent recovery impossible. Attackers gain access to the account, change the associated email address to another, often using addresses generated through the rambler.ru mail system. They then alter the account password. Since the email address is also changed, users cannot recover their login details using the previous email address. Some victims have received ransom messages, typically requesting a small sum of money, to regain access, while others have seen their accounts deleted altogether.
LinkedIn’s History of Being a Target for Cyberattacks
LinkedIn has been a frequent target of cybercriminals in various attacks:
Phishing Attempts: LinkedIn was identified as the most abused brand in phishing attempts, primarily because of its widespread use in the corporate world, making it a recognizable and lucrative target.
North Korean APT Campaign: In June of the same year, the North Korean APT group Lazarus was found using fake LinkedIn profiles to target security researchers in a phishing campaign.
Spear-Phishing to Compromise Facebook Business Accounts: In July, attackers conducted a spear-phishing campaign targeting LinkedIn as part of an effort to seize control of Facebook Business accounts for malvertising schemes.
The motive behind the recent account takeover campaign is uncertain, but compromised profiles can be exploited for various malicious activities. Threat actors can use LinkedIn profiles to socially engineer phishing campaigns by impersonating trusted colleagues or supervisors. They can also extract valuable information from conversations between business associates or harm victims’ reputations by posting malicious content or sending damaging messages to their professional connections.
Emily Phelps, Director of threat intelligence firm Cyware, emphasizes the importance of safeguarding online identities, as much of our lives are conducted online, and the consequences of online identities falling into the wrong hands can be significant.
Verify LinkedIn Account Access Immediately
In light of the potential scale and severity of these breaches, Cyberint strongly recommends that users take the following steps:
Immediate Account Verification: Users should promptly log in to their LinkedIn accounts to verify their access.
Contact Information Verification: Ensure that all contact information within the account is accurate and truly belongs to the user. If locked out and unable to recover the account through email, contact LinkedIn immediately.
Monitor Email Communications: Check email inboxes for messages from LinkedIn that indicate the addition of an extra email address to the account. If such an email is discovered and the user did not initiate this action, it should be considered a significant warning sign, prompting further investigation and action.
Enhance Password Security: Strengthen password security by using complex, unique passwords. Consider using two-step verification, a feature provided by LinkedIn and other platforms, to add an extra layer of security to the account.
Taking these precautions can help users secure their LinkedIn profiles and respond effectively to potential breaches.