Advisory ID: NCC-CSIRT-180823-031
Summary: Coral Tayar, a researcher at Cyberint, has identified a series of account breaches on LinkedIn. This has led to numerous accounts being either locked due to security concerns or completely taken over by attackers. In some cases, victims are forced into paying a ransom to regain access, while others face the possibility of their accounts being permanently deleted. These exploits can result in account takeovers, lockouts, and difficulties in resolving issues through LinkedIn's support system.
Threat Type(s): Ransomware
Impact/Vulnerability: HIGH/HIGH
Product(s): LinkedIn
Platform(s): LinkedIn Social Media Platform
Version(s): All Versions
Description: According to the researchers, attackers utilized two methods in exploiting LinkedIn accounts. The first method involves a temporary account lock, where victims receive an official LinkedIn email notifying them of the security measure. In such cases, the accounts themselves are not compromised; rather, suspicious activity or hacking attempts triggered the temporary lock. It's likely that threat actors attempted to breach accounts with two-factor authentication or conducted brute force attacks on passwords, prompting LinkedIn to block these efforts.
The second method, termed as a full account compromise, is more devastating. Here, victims' LinkedIn accounts are completely hacked, preventing them from independently recovering their accounts. Threat actors follow a specific process to make account restoration impossible. They gain access to the account and change the associated email address to another address, often using addresses generated through the 'rambler.ru' mail system. Subsequently, the threat actors alter the account password. By changing the email address, they effectively prevent victims from restoring their accounts via email, rendering recovery impossible. Some victims have received ransom messages (typically demanding a small sum) to regain access, while others have observed their accounts being deleted altogether.
Consequences: Malicious individuals might capitalize on compromised profiles for social engineering, deceiving others into participating in harmful actions while posing as a trusted co-worker or manager.
Solution:
- Check your account by promptly logging in and confirming if you still have access. Verify that all your contact information is accurate and truly yours. In case you are locked out and unable to recover through your email, reach out to LinkedIn support immediately.
- Review your email inbox for any messages sent by LinkedIn about the addition of an extra email to your account. If you did not initiate this action and discover such an email, consider it a serious red flag. Ensure that you can still log into your account, change your password, and eliminate the added email address from your contact details.
- Utilize a strong and unique password exclusively for your LinkedIn account. Avoid reusing passwords across different platforms.
- Activate the two-step verification feature for enhanced security on your LinkedIn account.
References:
https://www.bleepingcomputer.com/news/security/linkedin-accounts-hacked-in-widespread-hijacking-campaign/
https://cyberint.com/blog/research/linkedin-accounts-under-attack-how-to-protect-yourself/
https://twitter.com/search?q=linkedin%20account%20hacked
https://www.reddit.com/r/linkedin/comments/15cx1zg/mega_thread_so_your_linkedin_account_got/