How to Spot: Phishing by LinkedIn Message
Just a few days after been falsely accused by my former web host of operating a phishing scam (the accusation still burns!) I received a LinkedIn message from a literary agent connection that piqued my interest.
Something about the message felt a little in-genuine, however a literary agent reaching out to a writer in this manner wouldn’t be unheard of (although this may be pure happenstance and whoever devised the attack just hit lucky with a credible background).
So I decided to check out the OneDrive share.
Here are some things I did to investigate the suspicious share and correctly determine that it was a phishing attempt.
1: Check the URL Structure
If you’re dubious that something you’ve received in this manner might be a phishing scam, the first place you should check is the URL bar.
In this case, the link was to a genuine OneDrive share.
Note that, in Google Chrome, the padlock symbol to the left of the URL is marked as secure, indicating that the connection to the website is encrypted and secured by a valid Secure Socket Layer (SSL) certificate.
2: Check the SSL Certificate
Both the fact that the connection has an SSL certificate and the issuing authority are important pieces of information: discrepancies (the phishing attempt uses a self-signed certificate and the operator issues under its own name) can be valuable clues that something is amiss.
Let’s take a look at the SSL issuer certificate so that we can compare and contrast anything that changes:
As I would have expected, the SSL certificate on OneDrive.com, where legitimate OneDrive shares are hosted, is issued by Microsoft Corporation.
3: Watch Out For Dodgy Graphics
Here’s where things got a bit phishy (get it)?
There’s no reason why the sender couldn’t have simply sent an open access link. Instead, this looks like a OneDrive link to another OneDrive folder.
But look at the image that’s embedded.
As a company with more than $125 billion in annual revenue, Microsoft are not lacking the budget to hire a graphic design team — so the pixellated image immediately drew my suspicion.
Next, read the copy it contains:
“You have a new secure message for your perusal from X”.
There’s no way that a staid corporate like Microsoft would use such jocular phrasing as “for your perusal “ in their standard OneDrive share template notification.
Besides comparing how this link looked with a OneDrive share link which we know to be valid, we could also run an exact string search on Google to check if this suspicious line of copy has been reported as malware anywhere else on the internet.
4: Run Searches On Suspicious UI Copy
The one match here is from Hybrid Analysis, a free malware analysis service. Evidently, somebody has submitted this message for analysis:
When we click the “View Message Folder” button, we are then taken to another login.
5: Watch Out For Phishing URLs!
This brings us to a pretty typical phishing landing page.
Notice two things from the Omnibox:
a) We’re now on an external website. Although conceivably, this could be achieved legitimately by the operator adding a
CNAME DNS record if OneDrive allowed white-labeling a store site (I don't believe that they do).
b) The SSL certificate has vanished.
c) It’s no longer a Microsoft-issued certificate:
If we look into the issuing authority, we see that it’s certificates are being hocked on a website called cheapsslsecurity.com.
Again, I think that Microsoft have enough money to be throwing around not to have to deal with such a disreputable-sounding operator.
6: Always Use Throwaway Login Credentials
If you want to be brave and explore further, under no circumstances provide your actual login credentials to a website that appears to be a phishing scam!
Doing so is all that is required to pass on your login details to the operator. Then, you’re effectively done for and your Gmail username and password could easily wind up on a dark web marketplace.
For the purpose of verifying that this was indeed a scam (at this stage I was 99% sure), I set up a throwaway @outlook.com address just so that I could safely get through the login credential to access the “share”.
Here there were some further discrepancies:
If you pay close attention to the phishing login dialogs and actual ones you can often notice subtle differences.
Watch Out For Subtle UI Discrepancies
This is the phishing login for Google that the page linked to after I chose to log in through a Google account:
And this is an actual Google login that I just accessed and screenshotted to get to my GSuite email:
Notice any differences?
a) Google’s current UI only prompts for username first and then password, not both at the same time.
b) The genuine Google login doesn’t feature the footer text “One Google Account for everything Google”
c) There are other obvious differences.
Like many phishing attempts, this is a bad forgery.
I logged in using my @outlook.com burner account and was greeted by an empty screen.
The URL had also reverted to live.com so, after capturing the credentials, the phishing operator had presumably wanted the user to give up.
7: Check the WHOIS
If you’ve determined beyond reasonable doubt that the domain is part of a phishing scam, it might be worth running a WHOIS lookup to see if you can alert the registrar and get the site pulled before vulnerable users hand over their actual login credentials.
This domain had been in operation for just 12 days and the nameservers detected indicate that it was being hosted on NameCheap.
In this case, as a good deed for the day, I will alert NameCheapHosting to the fact that their services are being used to host a phishing site.
I contacted the account owner and my suspicions were confirmed:
a) Be suspicious of any drive shares from strangers!
b) Always check the URL and SSL cert to differentiate between a genuine website and a phishing one.
Originally published at https://www.danielrosehill.co.il